Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Web Reference Database (refbase) contains multiple vulnerabilities
Informations
Name VU#374092 First vendor Publication 2015-09-21
Vendor VU-CERT Last vendor Modification 2015-09-21
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#374092

Web Reference Database (refbase) contains multiple vulnerabilities

Original Release date: 21 Sep 2015 | Last revised: 21 Sep 2015

Overview

Web Reference Database (refbase) versions 0.9.6 and possibly earlier contain multiple vulnerabilities.

Description

Web Reference Database (refbase) versions 0.9.6 and possibly earlier contain multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-6007

The application does not employ cross-site request forgery protection (CSRF) mechanisms, such as CSRF tokens.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2015-6008

The install.php file is vulnerable to command injection attacks via the adminPassword POST parameter. An attacker can also pass malicious remote file paths to the pathToMYSQL and databaseStructureFile POST parameters. Assuming the target system is able to access those remote paths, it will execute them within the context of the server application's user.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-6009

The install.php file is vulnerable to SQL Injection via the defaultCharacterSet POST parameter.

The rss.php file is vulnerable to SQL Injection via the where GET parameter.

The search.php file is vulnerable to SQL Injection via the sqlQuery GET parameter.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-6010

The install.php file is vulnerable to reflected cross-site scripting (XSS) attacks via the adminUserName, pathToMYSQL, databaseStructureFile, and pathToBibutils POST parameters.

The error.php file is vulnerable to reflected XSS attacks via the errorNo and errorMsg GET parameters.

The duplicate_manager.php file is vulnerable to a reflected XSS attack via the viewType GET parameter.

The query_manager.php file contains multiple reflected XSS vulnerabilities. When the customQuery GET parameter is set to "1", the queryAction, displayType, citeOrder, sqlQuery, showQuery, showLinks, and showRows GET parameters are all vulnerable to reflected XSS attacks. When customQuery is not provided or set to "1", only the queryID GET parameter is vulnerable. It should be noted that while the query_manager.php file is only accessible by authenticated users, the lack of CSRF protections could still enable unauthenticated attackers to exploit these XSS vulnerabilities.

The import.php file is vulnerable to reflected XSS attacks via the sourceText and sourceIDs POST variables.

The update.php file is vulnerable to reflected XSS attacks via the adminUserName POST parameter.

The application is vulnerable to stored XSS attacks through the modify.php file's typeName and fileName POST parameters. When rendered by the search.php and advanced_search.php pages, the injected Javascript in these stored values will not be safely escaped.

CWE-91: XML Injection (aka Blind XPath Injection) - CVE-2015-6011

Arbitrary XML can be injected via the unapi.php file's id GET parameter, as well as the sru.php file's stylesheet GET parameter.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-6012

Multiple pages are vulnerable to open redirection attacks by passing a referrer GET parameter with a malicious URL as its value in the request.


The CVSS score reflects CVE-2015-6008.

Impact

A remote, unauthenticated attacker could submit valid requests to the server on behalf of authenticated users, execute arbitrary scripts in the context of a victim's browser, directly read, write, and modify arbitrary data in the application's database, redirect victims to malicious web addresses, and execute arbitrary code on the server.

Solution

The refbase maintainers have not published a new release at this time. However, they have committed fixes for some of these issues to the bleeding-edge SVN branch. To apply these fixes, users can download the latest repository snapshot.

The SQL Injection vulnerabilities in rss.php and search.php have not yet been fixed. According to the project maintainers, the vulnerabilities in install.php and update.php will not be fixed (see workaround below).

For users who cannot upgrade at this time or do not wish to use an unofficial release of this software, please consider using the following workarounds:

Manually remove install.php and update.php

The install.php and update.php files are administrative files for installing and updating the application. When they are not needed, project maintainers suggest manually removing these vulnerable files from production deployments of the application.

Restrict access

Restrict access to the application to trusted users and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Web Reference DatabaseAffected05 Jan 201515 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal6.4E:POC/RL:W/RC:C
Environmental1.7CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://sourceforge.net/projects/refbase/
  • http://www.refbase.net/index.php/Web_Reference_Database

Credit

Thanks to Mohab Ali for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs:CVE-2015-6007CVE-2015-6008CVE-2015-6009CVE-2015-6010CVE-2015-6011CVE-2015-6012
  • Date Public:21 Sep 2015
  • Date First Published:21 Sep 2015
  • Date Last Updated:21 Sep 2015
  • Document Revision:37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/374092

CWE : Common Weakness Enumeration

% Id Name
29 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
29 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
14 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
14 % CWE-94 Failure to Control Generation of Code ('Code Injection')
14 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 4

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2015-09-29 09:28:06
  • Multiple Updates
2015-09-28 09:26:19
  • Multiple Updates
2015-09-22 00:21:27
  • First insertion