CyStack Advisory ID CSA-2019-01
CVE IDs CVE-2019-11359, CVE-2019-11428, CVE-2019-11449
Severity Medium

Recently, we decided to find and get some CVEs assigned. When looking for a web project to audit, we came upon i-librarian 4.10, a PHP web application that has over 100 stars on Github. A few hours of relatively easy work finding bugs, and we got 3 CVEs with ours names on them.

Multiple vulnerable entry points

So we have narrowed our search to 1 web application. The next step is to find actual vulnerabilities within this app. I, librarian is written in plain PHP, and the front end doesn't use any template engine. Naturally, this opens up lots of attack surface for well-known web attacks. We chose to find a classic web vulnerability, and that is XSS. A simple grep returns multiple entry points for potential XSS attacks:
grep -Pn 'print|echo \$_(GET|POST)' . -R

Not all of the returned lines of code are vulnerable to XSS attacks. Some parameters are typecast to int, before being returned in the web page. Another common mitigation is whitelisting. Whitelisting certainly does prevent XSS, but it cannot be used every where, otherwise the functionality of the app can suffer. There are also some variables filtered with strip_tags() before being displayed. This can by easily bypassed. Use of htmlspecialchars() should be preferred when it comes to preventing XSS.

Endpoint 1: display.php

$project = $_GET['project'];
...
 print '<a href="rss.php?project=' . $project . '" target="_blank" id="rss-link">&nbsp;<i class="fa fa-rss"></i> Project RSS</a>';

The $project variable is not sanitized. This is a classic case of reflected XSS. CVE-2019-11359 was assigned to this vulnerability.

Endpoint 2: export.php

if (isset($_GET['export_files']))
        $get_post_export_files = $_GET['export_files'];
...
<input type="hidden" name="export_files" value="<?php print $get_post_export_files ?>">

This case is mostly the same as the previous one.  $_GET['export_files'] is displayed directly in final HTML page.
We reported this to the vendor, and got CVE-2019-11428 assigned.

Endpoint 3: notes.php

if (isset($_GET['file'])) {
    $query = $dbHandle->quote($_GET['file']);
    $user_query = $dbHandle->quote($_SESSION['user_id']);
    $result = $dbHandle->query("SELECT title FROM library WHERE id=$query");
    $title = $result->fetchColumn();
    $result = null;
    $result = $dbHandle->query("SELECT notes FROM notes WHERE fileID=$query AND userID=$user_query LIMIT 1");
    $notes = $result->fetchColumn();
    $result = null;
}
...
print $notes;

This one is different from the previous two, as it is a stored XSS vulnerability. The result of a database query is displayed in web page through the call to print $notes;. To exploit this, we must first create a malicious data record in the database. Triggering XSS is then trivial. CVE-2019-11449 was assigned to this vulnerability.

Conclusion

I, librarian 4.10 has multiple XSS vulnerabilities. Finding these bugs has helped us get CVEs quite easily.