The application does not employ cross-site request forgery protection (CSRF) mechanisms, such as CSRF tokens.
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2015-6008
The install.php file is vulnerable to command injection attacks via the adminPassword POST parameter. An attacker can also pass malicious remote file paths to the pathToMYSQL and databaseStructureFile POST parameters. Assuming the target system is able to access those remote paths, it will execute them within the context of the server application's user.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-6009
The install.php file is vulnerable to SQL Injection via the defaultCharacterSet POST parameter.
The rss.php file is vulnerable to SQL Injection via the where GET parameter.
The search.php file is vulnerable to SQL Injection via the sqlQuery GET parameter.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-6010
The install.php file is vulnerable to reflected cross-site scripting (XSS) attacks via the adminUserName, pathToMYSQL, databaseStructureFile, and pathToBibutils POST parameters.
The error.php file is vulnerable to reflected XSS attacks via the errorNo and errorMsg GET parameters.
The duplicate_manager.php file is vulnerable to a reflected XSS attack via the viewType GET parameter.
The query_manager.php file contains multiple reflected XSS vulnerabilities. When the customQuery GET parameter is set to "1", the queryAction, displayType, citeOrder, sqlQuery, showQuery, showLinks, and showRows GET parameters are all vulnerable to reflected XSS attacks. When customQuery is not provided or set to "1", only the queryID GET parameter is vulnerable. It should be noted that while the query_manager.php file is only accessible by authenticated users, the lack of CSRF protections could still enable unauthenticated attackers to exploit these XSS vulnerabilities.
The import.php file is vulnerable to reflected XSS attacks via the sourceText and sourceIDs POST variables.
The update.php file is vulnerable to reflected XSS attacks via the adminUserName POST parameter.
The application is vulnerable to stored XSS attacks through the modify.php file's typeName and fileName POST parameters. When rendered by the search.php and advanced_search.php pages, the injected Javascript in these stored values will not be safely escaped.
CWE-91: XML Injection (aka Blind XPath Injection) - CVE-2015-6011
Arbitrary XML can be injected via the unapi.php file's id GET parameter, as well as the sru.php file's stylesheet GET parameter.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-6012
Multiple pages are vulnerable to open redirection attacks by passing a referrer GET parameter with a malicious URL as its value in the request.
The CVSS score reflects CVE-2015-6008.
Impact
A remote, unauthenticated attacker could submit valid requests to the server on behalf of authenticated users, execute arbitrary scripts in the context of a victim's browser, directly read, write, and modify arbitrary data in the application's database, redirect victims to malicious web addresses, and execute arbitrary code on the server.
Solution
The refbase maintainers have not published a new release at this time. However, they have committed fixes for some of these issues to the bleeding-edge SVN branch. To apply these fixes, users can download the latest repository snapshot.
The SQL Injection vulnerabilities in rss.php and search.php have not yet been fixed. According to the project maintainers, the vulnerabilities in install.php and update.php will not be fixed (see workaround below).
For users who cannot upgrade at this time or do not wish to use an unofficial release of this software, please consider using the following workarounds:
Manually remove install.php and update.php
The install.php and update.php files are administrative files for installing and updating the application. When they are not needed, project maintainers suggest manually removing these vulnerable files from production deployments of the application.
Restrict access
Restrict access to the application to trusted users and networks.