Security Advisory: Reflected XSS in NetBiblio WebOPAC (CVE-2021-42551) ------------------------------------------------------------------------------ 1. Summary This advisory describes two versions of a reflected XSS vulnerability in different releases of AlCoda's NetBiblio WebOPAC (https://www.alcoda.info/Homepage/libraryNews/entry/25), a commonly used software for online libraries in Switzerland and Germany. The vulnerability relies within the Wikipedia module used to enhance an end user's search experience within the software. Therefore, each search term an end user searches for in the customer's library gets reflected through JavaScript against Wikipedia and the top results are then returned as part of the response and displayed in the user interface. However, the search term in versions 4.0.0.312 and earlier is passed without further sanitation or encoding into this module resulting in an injection point usable for a reflected Cross-Site Scripting (XSS) attack. Upon disclosure to the vendor this issue was initially patched. However, the initial patch was altered for the worse in version 4.0.0.329 and allows for a bypass resulting in the same injection point again. Organisations using NetBiblio WebOPAC are therefore advised to upgrade to the latest version or disable the Wikipedia module completly. 2. Vulnerable devices and versions The updated version of the attack (bypass) has been successfully tested against the following versions: * NetBiblio WebOPAC 4.0.0.334 * NetBiblio WebOPAC 4.0.0.333 * NetBiblio WebOPAC 4.0.0.330 * NetBiblio WebOPAC 4.0.0.329 The initial version of the attack has been successfully tested against the following versions: * NetBiblio WebOPAC 4.0.0.312 * NetBiblio WebOPAC 4.0.0.309 * NetBiblio WebOPAC 4.0.0.306 No other versions were tested for this vulnerability. However, versions of NetBiblio WebOPAC before 4.0.0.306 using this module are most likely vulnerable as well. 3. Details To enhance the end users' search experience a search term is not only used to search in the customer's library itself but, if enabled, against external resources such as Wikipedia as well. This is done asynchronously through the following JavaScript snipped that passes along the user submitted search term through the parameter "SearchTerm" to Wikipedia and returns the corresponding search results: In NetBiblio WebOPAC 4.0.0.312 and earlier the initially submitted search term is reflected into the response without any further encoding or sanitation and is therefore vulnerable to XSS. To exploit this vulnerability, the following payload can be used to trigger an alert box and proof the ability to inject arbitrary JavaScript code: x'+alert("Redguard")+'x Via an additional redirect, this results in the following GET request including the above payload as part of the parameter "searchTerm" GET /NetBiblio/search/shortview?searchField=W&searchType=Simple &searchTerm=x%27%2Balert%28%22Redguard%22%29%2B%27x&fromStartPage=True &searchResultId=11111&sort=Notices.Author%2CNotices.Title&page=1 &pageSize=100 This results in the following JavaScript snippet returned to the end user containing the arbitrary code as part of the parameter "SearchTerm": As certain parameters are optional in the initial search request, it can be stripped down to the following URL to trigger the vulnerability: https://target/NetBiblio/search/shortview?searchField=W &searchType=Simple&searchTerm=x%27%2Balert%28%22Redguard%22%29%2B%27x Upon disclosure to the vendor, this vulnerability was adressed by encoding the user supplied input before using it in the above JavaScript snippet. However, starting with NetBiblio WebOPAC in version 4.0.0.329, the initially deployed patch was altered again. Instead of encoding the vulnerability is now addressed by escaping any user supplied single quotation marks. However, this can be bypassed by just supplying a backslash before a single quotation mark and therefore effectively cancle the escaping of the single quotation mark. To bypass the the escaping and exploit this vulnerability again, the following payload can be used to trigger an alert box and proof the ability to inject arbitrary JavaScript code: x\'+alert("Redguard"),// This results in the following JavaScript snippet returned to the end user containing the arbitrary code canceling the applied escaping as part of the parameter "SearchTerm" and therefore bypassing the altered patch: This can be stripped down to the following URL to trigger the vulnerability in newer versions again: https://alcoda.info/NetBiblio/search/shortview?searchField=W &searchType=Simple&searchTerm=x%5C%27%2Balert%28%22Redguard%22%29%2C%2F%2F By tricking a user into clicking this specially crafted link leading to the above GET request an attacker can execute arbitrary JavaScript code within the victim's session and execute malicious actions within the context of the NetBiblio WebOPAC. 4. Credits * Patrick Schmid, Redguard AG * Sven Vetsch, Redguard AG 5. Timeline * 2021-08-25 : Contacted AlCoda and request a secure way of communication. * 2021-09-06 : Contacted AlCoda's CEO and support due to no response. * 2021-09-13 : Contacted AlCoda again requesting a secure way of communication due to no response. * 2021-09-14 : AlCoda responded by phone stating they are not able to provide a secure way of communication and requested additional information via physical mail. * 2021-09-14 : Initial vulnerability disclosed to AlCoda's CEO via plain e-mail due to the lack of a digital channel. * 2021-09-14 : AlCoda confirmed initial vulnerability and a patch in a few days. * 2021-12-06 : Patch deployed to most publicly available instances. * 2021-12-20 : Initial contact with NCSC as CNA of Switzerland to assign a CVE. * 2021-12-21 : CVE-2021-42551 assigned by NCSC. * 2022-01-03 : Bypass identified in altered patch of newer versions. Bypass disclosed to AlCoda's CEO again and publication postponed. * 2022-01-04 : AlCoda confirmed bypass and a patch in a few days. NCSC informed about bypass. * 2022-01-05 : Patch available by vendor. * 2022-01-10 : Patch deployed to most publicly available instances. * 2022-01-14 : Public disclosure of advisory. 6. About Redguard Redguard is a Swiss-based information security company. We assist our clients with technical security testing as well as organizational security audits and consulting. This enables us to have a team with extensive experience in a wide variety of security relevant topics. https://www.redguard.ch contact@redguard.ch 7. Disclaimer This document is not meant to be a complete list of security issues for any of the mentioned software and/or versions. It is possible and indeed likely that there are further security issues that are yet to be identified. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties regarding this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.