Vulnerability Note VU#374092

Web Reference Database (refbase) contains multiple vulnerabilities

Original Release date: 21 Sep 2015 | Last revised: 21 Sep 2015

Overview

Web Reference Database (refbase) versions 0.9.6 and possibly earlier contain multiple vulnerabilities.

Description

Web Reference Database (refbase) versions 0.9.6 and possibly earlier contain multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-6007

The application does not employ cross-site request forgery protection (CSRF) mechanisms, such as CSRF tokens.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2015-6008

The install.php file is vulnerable to command injection attacks via the adminPassword POST parameter. An attacker can also pass malicious remote file paths to the pathToMYSQL and databaseStructureFile POST parameters. Assuming the target system is able to access those remote paths, it will execute them within the context of the server application's user.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-6009

The install.php file is vulnerable to SQL Injection via the defaultCharacterSet POST parameter.

The rss.php file is vulnerable to SQL Injection via the where GET parameter.

The search.php file is vulnerable to SQL Injection via the sqlQuery GET parameter.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-6010

The install.php file is vulnerable to reflected cross-site scripting (XSS) attacks via the adminUserName, pathToMYSQL, databaseStructureFile, and pathToBibutils POST parameters.

The error.php file is vulnerable to reflected XSS attacks via the errorNo and errorMsg GET parameters.

The duplicate_manager.php file is vulnerable to a reflected XSS attack via the viewType GET parameter.

The query_manager.php file contains multiple reflected XSS vulnerabilities. When the customQuery GET parameter is set to "1", the queryAction, displayType, citeOrder, sqlQuery, showQuery, showLinks, and showRows GET parameters are all vulnerable to reflected XSS attacks. When customQuery is not provided or set to "1", only the queryID GET parameter is vulnerable. It should be noted that while the query_manager.php file is only accessible by authenticated users, the lack of CSRF protections could still enable unauthenticated attackers to exploit these XSS vulnerabilities.

The import.php file is vulnerable to reflected XSS attacks via the sourceText and sourceIDs POST variables.

The update.php file is vulnerable to reflected XSS attacks via the adminUserName POST parameter.

The application is vulnerable to stored XSS attacks through the modify.php file's typeName and fileName POST parameters. When rendered by the search.php and advanced_search.php pages, the injected Javascript in these stored values will not be safely escaped.

CWE-91: XML Injection (aka Blind XPath Injection) - CVE-2015-6011

Arbitrary XML can be injected via the unapi.php file's id GET parameter, as well as the sru.php file's stylesheet GET parameter.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-6012

Multiple pages are vulnerable to open redirection attacks by passing a referrer GET parameter with a malicious URL as its value in the request.


The CVSS score reflects CVE-2015-6008.

Impact

A remote, unauthenticated attacker could submit valid requests to the server on behalf of authenticated users, execute arbitrary scripts in the context of a victim's browser, directly read, write, and modify arbitrary data in the application's database, redirect victims to malicious web addresses, and execute arbitrary code on the server.

Solution

The refbase maintainers have not published a new release at this time. However, they have committed fixes for some of these issues to the bleeding-edge SVN branch. To apply these fixes, users can download the latest repository snapshot.

The SQL Injection vulnerabilities in rss.php and search.php have not yet been fixed. According to the project maintainers, the vulnerabilities in install.php and update.php will not be fixed (see workaround below).

For users who cannot upgrade at this time or do not wish to use an unofficial release of this software, please consider using the following workarounds:

Manually remove install.php and update.php

The install.php and update.php files are administrative files for installing and updating the application. When they are not needed, project maintainers suggest manually removing these vulnerable files from production deployments of the application.

Restrict access

Restrict access to the application to trusted users and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Web Reference DatabaseAffected05 Jan 201515 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.4 E:POC/RL:W/RC:C
Environmental 1.7 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Mohab Ali for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.