====================================================================

                             CERT-Renater

                 Note d'Information No. 2015/VULN207
_____________________________________________________________________

DATE                : 25/09/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Web Reference Database versions
                       up to and including 0.9.6.

======================================================================
http://www.kb.cert.org/vuls/id/374092
_____________________________________________________________________

Vulnerability Note VU#374092
Web Reference Database (refbase) contains multiple vulnerabilities

Original Release date: 21 Sep 2015 | Last revised: 21 Sep 2015


Overview

Web Reference Database (refbase) versions 0.9.6 and possibly earlier
contain multiple vulnerabilities.


Description

Web Reference Database (refbase) versions 0.9.6 and possibly earlier
contain multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-6007

The application does not employ cross-site request forgery protection
(CSRF) mechanisms, such as CSRF tokens.

CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection') - CVE-2015-6008

The install.php file is vulnerable to command injection attacks via the
adminPassword POST parameter. An attacker can also pass malicious
remote file paths to the pathToMYSQL and databaseStructureFile POST
parameters. Assuming the target system is able to access those remote
paths, it will execute them within the context of the server
application's user.

CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection') - CVE-2015-6009

The install.php file is vulnerable to SQL Injection via the
defaultCharacterSet POST parameter.

The rss.php file is vulnerable to SQL Injection via the where GET
parameter.

The search.php file is vulnerable to SQL Injection via the sqlQuery GET
parameter.

CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') - CVE-2015-6010

The install.php file is vulnerable to reflected cross-site scripting
(XSS) attacks via the adminUserName, pathToMYSQL,
databaseStructureFile, and pathToBibutils POST parameters.

The error.php file is vulnerable to reflected XSS attacks via the
errorNo and errorMsg GET parameters.

The duplicate_manager.php file is vulnerable to a reflected XSS attack
via the viewType GET parameter.

The query_manager.php file contains multiple reflected XSS
vulnerabilities. When the customQuery GET parameter is set to "1", the
queryAction, displayType, citeOrder, sqlQuery, showQuery, showLinks,
and showRows GET parameters are all vulnerable to reflected XSS
attacks. When customQuery is not provided or set to "1", only the
queryID GET parameter is vulnerable. It should be noted that while the
query_manager.php file is only accessible by authenticated users, the
lack of CSRF protections could still enable unauthenticated attackers
to exploit these XSS vulnerabilities.

The import.php file is vulnerable to reflected XSS attacks via the
sourceText and sourceIDs POST variables.

The update.php file is vulnerable to ref0.9.6lected XSS attacks via the
adminUserName POST parameter.

The application is vulnerable to stored XSS attacks through the
modify.php file's typeName and fileName POST parameters. When rendered
by the search.php and advanced_search.php pages, the injected
Javascript in these stored values will not be safely escaped.

CWE-91: XML Injection (aka Blind XPath Injection) - CVE-2015-6011

Arbitrary XML can be injected via the unapi.php file's id GET
parameter, as well as the sru.php file's stylesheet GET parameter.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-6012

Multiple pages are vulnerable to open redirection attacks by passing a
referrer GET parameter with a malicious URL as its value in the request.


The CVSS score reflects CVE-2015-6008.


Impact

A remote, unauthenticated attacker could submit valid requests to the
server on behalf of authenticated users, execute arbitrary scripts in
the context of a victim's browser, directly read, write, and modify
arbitrary data in the application's database, redirect victims to
malicious web addresses, and execute arbitrary code on the server.


Solution

The refbase maintainers have not published a new release at this time.
However, they have committed fixes for some of these issues to the
bleeding-edge SVN branch. To apply these fixes, users can download the
latest repository snapshot.

The SQL Injection vulnerabilities in rss.php and search.php have not
yet been fixed. According to the project maintainers, the
vulnerabilities in install.php and update.php will not be fixed (see
workaround below).

For users who cannot upgrade at this time or do not wish to use an
unofficial release of this software, please consider using the
following workarounds:

Manually remove install.php and update.php

The install.php and update.php files are administrative files for
installing and updating the application. When they are not needed,
project maintainers suggest manually removing these vulnerable files
from production deployments of the application.

Restrict access

Restrict access to the application to trusted users and networks.


Vendor Information (Learn More)

Vendor                  Status          Date Notified   Date Updated
Web Reference Database	Affected	05 Jan 2015	15 Sep 2015

If you are a vendor and your product is affected, let us know.


CVSS Metrics (Learn More)

Group           Score   Vector
Base            7.5     AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal        6.4     E:POC/RL:W/RC:C
Environmental   1.7     CDP:L/TD:L/CR:ND/IR:ND/AR:ND


References

     http://sourceforge.net/projects/refbase/
     http://www.refbase.net/index.php/Web_Reference_Database


Credit

Thanks to Mohab Ali for reporting this vulnerability.

This document was written by Todd Lewellen.


Other Information

     CVE IDs: CVE-2015-6007 CVE-2015-6008 CVE-2015-6009 CVE-2015-6010
     CVE-2015-6011 CVE-2015-6012
     Date Public: 21 Sep 2015
     Date First Published: 21 Sep 2015
     Date Last Updated: 21 Sep 2015
     Document Revision: 37


Feedback

If you have feedback, comments, or additional information about this
vulnerability, please send us email.



=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================