Monday 31 December 2007

OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities

- Security Advisory -

- OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities -

Product: OpenBiblio
Version: Version 0.5.2 Prerelease 4 and prior is affected
Affected by: Full path disclosure, local file include, phpinfo disclosure, multiple Cross Site Scripting, SQL injection

I. Introduction.

OpenBiblio is an easy to use, automated library system written in PHP containing OPAC, circulation,
cataloging, and staff administration functionality.
OpenBiblio library administration offers an intuitive interface with broad category tabs and sidebar.

II. Description

OpenBiblio suffers multiple bugs.

1) Local File Include vulnerability: its posible to include any arbitrary local file using shared/help.php file

- Code -
if (isset($_GET["page"])) {
$page = $_GET["page"];
} else {
$page = "contents";

- PoC -

2) Local File Include (2) (only works with register_globals On and for non php files magic_quotes_gpc must be Off)

- Code -
<?php include("../navbars/".$tab.".php");?>

- PoC -

3) This link will show phpinfo


Remove it!

4) Path Disclosure

Some samples:

Fatal error: Call to a member function on a non-object in /httpdocs/openbiblio/shared/footer.php on line 18

Fatal error: Call to a member function on a non-object in /httpdocs/openbiblio/circ/mbr_fields.php on line 14

Fatal error: Cannot instantiate non-existent class: dmquery in /httpdocs/openbiblio/admin/custom_marc_form_fields.php on line 14

Please, turn display_errors to Off in php.ini

6) Multiple Cross Site Scripting, an attacker can perform an XSS attack that allows him to access the targeted user cookies

Some samples:



In /admin/theme_preview.php an attacker can inject an XSS in the var themeName with method POST.
here is a poc:

<form action="http://site/openbiblio/admin/theme_preview.php" method="post">
<input type="text" name="themeName" size="40" value="<script>alert(document.cookie);</script>"><br><br>
<input type="submit" value="doit">

try with: <script>alert(document.cookie);</script>

6) SQL injection (session with report rol is needed to exploit this bug)

Any user with report rol can access any field of the database, including admin md5 hash.



with this an attacker can get the md5 admin password:



then click "run report" and view the results, besides, you can choose between html and csv format ;)

staff.username staff.pwd
admin 21232f297a57a5a743894a0e4a801fc3

III. Timeline

20/08/2006 - Bugs discovered
25/08/2006 - Vendor Contacted
30/08/2006 - Release 0.5.2 (parcial patch)
21/02/2007 - Release 0.6.0 (full patch)
28/12/2007 - Advisory Disclosure

IV. Solution

Upgrade to 0.6.0 from
Good work!

V. Credits

Juan Galiana <jgaliana gmail com>


Podeis encontrar el boletín de seguridad archivado en este link.


  1. Really fantastic. The most impressive is the timeline from "Bugs discovered" to "Advisory disclosure" they take long long long!

    Your work rocks!, regards

  2. Hi! I was surfing and found your blog post... nice! I love your blog. :) Cheers! Sandra. R.

  3. Cool post. I just came across your blog and wanted to say that I

  4. I love your site. :) Love design!!! I just came across your blog and wanted to say that I

  5. Sorry, what did you mean?? A?? Sign: bmmmr

  6. Sign: umsun Hello!!! rcuwwymhyw and 9402ssgfhphzye and 153I like your blog. cool post!

  7. Sign: xxsfd Hello!!! bmnay and 492cnbatekwmf and 969 My Comments: I love your site. :) Love design!!! I just came across your blog and wanted to say that Ive really enjoyed browsing your blog posts.