Apr 21, 2023
When I worked for myself, it would never have occurred to me to do things like press releases for my projects. My company does, and it’s… great? But it feels weird. Anyway, I did a thing at work.
seen from Netherlands
seen from United States
seen from China
seen from United States
seen from China
seen from Türkiye
seen from Australia
seen from Türkiye
seen from Malaysia
seen from Romania
seen from China
seen from Malaysia
seen from United States
seen from China
seen from Japan
seen from United States
seen from France
seen from Malaysia
seen from Poland
seen from China
When I worked for myself, it would never have occurred to me to do things like press releases for my projects. My company does, and it’s… great? But it feels weird. Anyway, I did a thing at work.
VuFind 1.0 Reflected XSS (Cross-site Scripting) Application 0-Day Web Security Bug
Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web Security Vulnerability
Product: VuFind
Vendor: VuFind
Vulnerable Versions: 1.0
Tested Version: 1.0
Advisory Publication: September 20, 2015
Latest Update: September 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
Caution Details:
(1) Vendor & Product Description:
Vendor:
VuFind
Product & Vulnerable Versions:
VuFind
1.0
Vendor URL & Download:
Product can be obtained from here, http://sourceforge.net/p/vufind/news/
Product Introduction Overview:
"VuFind is a library resource portal designed and developed for libraries by libraries. The goal of VuFind is to enable your users to search and browse through all of your library's resources by replacing the traditional OPAC to include: Catalog Records, Locally Cached Journals, Digital Library Items, Institutional Repository, Institutional Bibliography, Other Library Collections and Resources. VuFind is completely modular so you can implement just the basic system, or all of the components. And since it's open source, you can modify the modules to best fit your need or you can add new modules to extend your resource offerings. VuFind runs on Solr Energy. Apache Solr, an open source search engine, offers amazing performance and scalability to allow for VuFind to respond to search queries in milliseconds time. It has the ability to be distributed if you need to spread the load of the catalog over many servers or in a server farm environment. VuFind is offered for free through the GPL open source license. This means that you can use the software for free. You can modify the software and share your successes with the community! Take a look at our VuFind Installations Wiki page to see how a variety of organizations have taken advantage of VuFind's flexibility. If you are already using VuFind, feel free to edit the page and share your accomplishments. "
(2) Vulnerability Details:
VuFind web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. VuFind has patched some of them. "scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training".
(2.1) The code flaw occurs at "lookfor?" parameter in "/vufind/Resource/Results?" page.
Some other researcher has reported a similar vulnerability here and VuFind has patched it. https://vufind.org/jira/si/jira.issueviews:issue-html/VUFIND-54/VUFIND-54.html
(3) Solution:
Update to new version.
References: http://tetraph.com/security/xss-vulnerability/vufind-xss/ http://russiapost.blogspot.ru/2015/09/vufind-xss-issue.html https://infoswift.wordpress.com/2015/09/25/vufind-issue/ http://www.openwall.com/lists/oss-security/2015/09/25/2 http://whitehatview.tumblr.com/post/129834589981/vufind-xss-bugs http://itsecurity.lofter.com/post/1cfbf9e7_854cb25 https://progressive-comp.com/?l=oss-security&m=144316469829656&w=1 http://essayjeans.blog.163.com/blog/static/23717307420158253407863/ http://seclists.org/oss-sec/2015/q3/639 http://frenchairing.blogspot.fr/2015/09/vufind-bug.html https://itswift.wordpress.com/2015/09/22/vufind-0day/ http://permalink.gmane.org/gmane.comp.security.oss.general/17836
VuFind & Mifos X FOSS Projects
VuFind Overview
Developed at Villanova University, VuFind is a portal designed to allow users to search and browse through a library’s resources. A quick scan through VuFind’s website reveals plenty of information and features about the project, documentation about how to install and configure their software, and even upcoming events held in Germany. It appears that the project is still active; the last release was 2.4.1 back in late May 2015, but it looks like the project has a major update at least once a year. After a bit more searching, there doesn’t seem to be a clear starting point for someone looking to get involved without following a link to GitHub. For a project that is holding international meetings with German Universities, I’m surprised to see that VuFind does not host their own code. Overall, this seems like a very credible project that is far along in its development process, but it still has some growing to do before it becomes a standalone open source project.
Mifos X Overview
Mifos provides an open source platform which allows service providers to deliver financial services to impoverished third-world nations. The Mifos community has a presence on many popular social media sites such as Twitter, Google+, Facebook, and LinkedIn. They encourage followers to share their stories and encourage others to support Mifos mission statement, a powerful tool to advertise their cause without spending vast amounts of money. For the developers and testers that would like to get involved, the Volunteer tab provides all of the information necessary to write code, test feature specifications, become an adviser, and even write documentation for other users. The Mifos website contains plenty of information about their mission and includes links for road maps, current documentation, and donations to keep the project alive and moving forward. Overall, the project appears very credible and established with its funding and partners. I would expect development to go far with the help of volunteers and financial backers.
