VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug

Posted by WhiteHole

VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug

Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web Security Vulnerability

Product: VuFind

Vendor: VuFind

Vulnerable Versions: 1.0

Tested Version: 1.0

Advisory Publication: September 20, 2015

Latest Update: September 25, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Caution Details:

(1) Vendor & Product Description:

Vendor:

VuFind

Product & Vulnerable Versions:

VuFind

1.0

Vendor URL & Download:

Product can be obtained from here,
http://sourceforge.net/p/vufind/news/

Product Introduction Overview:

“VuFind is a library resource portal designed and developed for libraries by libraries. The goal of VuFind is to enable your users to search and browse through all of your library’s resources by replacing the traditional OPAC to include: Catalog Records, Locally Cached Journals, Digital Library Items, Institutional Repository, Institutional Bibliography, Other Library Collections and Resources. VuFind is completely modular so you can implement just the basic system, or all of the components. And since it’s open source, you can modify the modules to best fit your need or you can add new modules to extend your resource offerings. VuFind runs on Solr Energy. Apache Solr, an open source search engine, offers amazing performance and scalability to allow for VuFind to respond to search queries in milliseconds time. It has the ability to be distributed if you need to spread the load of the catalog over many servers or in a server farm environment. VuFind is offered for free through the GPL open source license. This means that you can use the software for free. You can modify the software and share your successes with the community! Take a look at our VuFind Installations Wiki page to see how a variety of organizations have taken advantage of VuFind’s flexibility. If you are already using VuFind, feel free to edit the page and share your accomplishments. “

(2) Vulnerability Details:

VuFind web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. VuFind has patched some of them. “scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training”.

(2.1) The code flaw occurs at “lookfor?” parameter in “/vufind/Resource/Results?” page.

Some other researcher has reported a similar vulnerability here and VuFind has patched it.
https://vufind.org/jira/si/jira.issueviews:issue-html/VUFIND-54/VUFIND-54.html

(3) Solution:

Update to new version.

References:
http://tetraph.com/security/xss-vulnerability/vufind-xss/
http://securityrelated.blogspot.com/2015/09/vufind-xss.html
https://vulnerabilitypost.wordpress.com/2015/09/22/vufind-xss/
http://tetraph.blog.163.com/blog/static/234603051201582525130175/
https://packetstormsecurity.com/files/133374/Winmail-Server-4.2-Cross-Site-Scripting.html
http://marc.info/?l=oss-security&m=144094021709472&w=4
http://lists.openwall.net/full-disclosure/2015/08/31/2
http://ithut.tumblr.com/post/128012509383/webcabinet-winmail-server-42-reflected-xss
http://seclists.org/fulldisclosure/2015/Aug/84
http://lists.openwall.net/full-disclosure/2015/08/31/2

CVE-2014-4134 – phpwind v8.7 Unvalidated Redirects and Forwards Web Security Vulnerabilities

Posted by WhiteHole

CVE-2014-4134 – phpwind v8.7 Unvalidated Redirects and Forwards Web Security Vulnerabilities

Exploit Title: phpwind v8.7 goto.php? &url Parameter Open Redirect Security Vulnerabilities

Product: phpwind

Vendor: phpwind

Vulnerable Versions: v8.7

Tested Version: v8.7

Advisory Publication: May 25, 2015

Latest Update: May 25, 2015

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: CVE-2014-4134

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Caution Details:

(1) Vendor & Product Description:

Vendor:

phpwind

Product & Vulnerable Versions:

phpwind

v8.7

Vendor URL & Download:

Product can be obtained from here,

http://www.phpwind.net/thread/166

Product Introduction Overview:

“Today, the country’s 200,000 worth of small sites, there are nearly 100,000 community site uses phpwind, has accumulated more than one million sites use phpwind, there are 1,000 new sites every day use phpwind. These community sites covering 52 types of trades every day one million people gathered in phpwind build community, issued 50 million new information, visit more than one billion pages. National Day PV30 million or more in 1000 about a large community, there are more than 500 sites selected phpwind station software provided, including by scouring link Amoy satisfaction, a daily e-commerce and marketing groups, and other on-line product vigorously increase in revenue for the site. Excellent partners, such as Xiamen fish, of Long Lane, Erquan network, Kunshan forum, the North Sea 360, Huizhou West Lake, Huashang like.

phpwind recent focus on strengthening community media value, expand e-commerce applications community. phpwind focus on small sites to explore the value of integration and applications, we believe that the website that is community, the community can provide a wealth of applications to meet people access to information, communication, entertainment, consumer and other living needs, gain a sense of belonging, become online home . With the development of the Internet, in the form of the site will be more abundant, the integration of the Forum, more forms of information portals, social networking sites, we will integrate these applications to products which, and to create the most optimized user experience. phpwind mission is to make the community more valuable, so that more people enjoy the convenience of the Internet community in order to enhance the quality of life.”

(2) Vulnerability Details:

phpwind web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. phpwind has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishs suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

(2.1) The first programming code flaw occurs at “&url” parameter in “/goto.php?” page.

References:

http://www.tetraph.com/security/open-redirect/phpwind-v8-7-open-redirect/

http://securityrelated.blogspot.com/2015/05/phpwind-v87-xss.html

https://webtechwire.wordpress.com/2015/05/24/phpwind-v8-7-open-redirect-2/

http://diebiyi.com/articles/security/phpwind-v8-7-open-redirect/

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01741.html

https://itswift.wordpress.com/2015/05/24/phpwind-v8-7-open-redirect/

http://whitehatpost.blog.163.com/blog/static/242232054201542495731506/

http://cxsecurity.com/issue/WLB-2015030028

http://seclists.org/fulldisclosure/2015/Apr/35

http://www.openwall.com/lists/oss-security/2015/05/22/7