OpenBiblio 0.5.2-pre4 and earlier allows remote attackers to obtain sensitive information via a direct request for (1) shared/footer.php, (2) circ/mbr_fields.php, or (3) admin/custom_marc_form_fields.php, which reveals the path in various error messages.
OpenBiblio versions 0.5.2-pre4 and earlier are vulnerable to a path disclosure vulnerability, allowing attackers to extract sensitive information about the server's file system. This information can be leveraged to craft further attacks, potentially leading to remote code execution or data exfiltration by understanding the server's file structure and the location of sensitive files.
Step 1: Target Identification: The attacker identifies a vulnerable OpenBiblio installation, likely by scanning for known OpenBiblio installations or by using search engines to locate publicly accessible instances.
Step 2: Direct Request: The attacker crafts a direct HTTP request to one of the vulnerable files: shared/footer.php, circ/mbr_fields.php, or admin/custom_marc_form_fields.php.
Step 3: Error Trigger: The attacker's request triggers an error condition, either by requesting the file directly or by causing an error within the file's execution (e.g., incorrect parameters).
Step 4: Path Disclosure: The application responds with an error message that includes the full server-side file path to the requested file. This path is revealed in the error message.
Step 5: Information Gathering: The attacker analyzes the revealed path to understand the server's file system structure and identify potential targets for further exploitation.
Step 6: Exploitation (Potential): Based on the revealed path, the attacker may attempt further attacks, such as LFI/RFI, or use the information to craft more targeted attacks.
The vulnerability stems from insufficient error handling within OpenBiblio's PHP scripts. Specifically, when accessing files like shared/footer.php, circ/mbr_fields.php, or admin/custom_marc_form_fields.php directly, the application fails to properly sanitize error messages. These error messages, instead of being generic, reveal the full server-side path to the requested file. This path disclosure provides attackers with critical information about the server's file system structure, including the location of configuration files, other sensitive scripts, and potentially even the web server's root directory. This information can then be used to craft more sophisticated attacks, such as Local File Inclusion (LFI) or Remote File Inclusion (RFI), by leveraging the revealed paths to include malicious code or access sensitive data. The root cause is a lack of proper input validation and error message sanitization.