Multiple cross-site scripting (XSS) vulnerabilities in OpenBiblio 0.5.2-pre4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) LAST and (2) FIRST parameters to admin/staff_del_confirm.php, (3) the name parameter to admin/theme_del_confirm.php, or (4) the themeName parameter to admin/theme_preview.php.
OpenBiblio 0.5.2-pre4 and earlier are vulnerable to multiple cross-site scripting (XSS) attacks, allowing attackers to inject malicious JavaScript into web pages viewed by other users. This can lead to session hijacking, data theft, and defacement. Exploitation requires no authentication and can compromise the integrity of the OpenBiblio installation.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within the vulnerable parameters (LAST, FIRST, name, or themeName).
Step 2: Request Submission: The attacker sends the crafted URL to a victim, typically through phishing, social engineering, or other means.
Step 3: Server Processing: The OpenBiblio server receives the request and processes the parameters, including the malicious payload.
Step 4: Vulnerable Output: The server, due to the lack of proper sanitization, incorporates the attacker's injected JavaScript into the HTML response.
Step 5: Victim Execution: When the victim's browser renders the HTML response, it executes the embedded JavaScript payload. This could lead to various malicious actions, such as stealing cookies, redirecting the user, or defacing the website.
The vulnerability stems from insufficient input validation and output encoding in OpenBiblio's administrative interface. Specifically, the application fails to properly sanitize user-supplied data before displaying it in the web browser. This allows attackers to inject arbitrary HTML and JavaScript code through parameters like LAST, FIRST, name, and themeName. When a legitimate user views a page containing the injected script, the browser executes the malicious code, leading to XSS.