OPENCONF CE 3.41 MULTIPLE XSS AND SQL
OpenConf CE 3.41 contains multiple stored and reflected cross-site scripting vulnerabilities and an SQL injection flaw in the conference chair interface, enabling session theft and direct database extraction.
CVSS Score
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Advisory
| Application | OpenConf CE |
| Version | 3.41 |
| Impact | Session theft and database extraction |
| Websec Advisory | WS10-06 |
Background
OpenConf is a peer-review management system used by conferences, workshops, symposia, and for journals, grants, and books.
Description
Stored Cross-Site Scripting lets an attacker steal an administrator's session merely by having them visit a controlled page. User input also reaches the database without sanitization, enabling SQL injection.
Exploit / Proof of Concept
/openconf/chair/show_reviewer.php?rid=1' and '<script>alert(0)</script>'='<script>alert(document.cookie)</script>/openconf/chair/list_scores.php?s="><script>alert(0)</script>/openconf/chair/show_paper.php?pid=<script>alert(0)</script>
Vulnerable Code and Fix
File: openconf/chair/show_reviewer.php
// Line 20 (SQL injection)
$q = "SELECT * FROM " . OCC_TABLE_REVIEWER . " WHERE reviewerid='".$_GET['rid']."'";
// Fix
$q = "SELECT * FROM " . OCC_TABLE_REVIEWER . " WHERE reviewerid='".safeSQLstr($_GET['rid'])."'";
// Line 25 (reflected XSS)
print '<tr><td>ID:</td><td>'.$_GET['rid'].'</td></tr>';
// Fix
print '<tr><td>ID:</td><td>'.safeHTMLstr($_GET['rid']).'</td></tr>';The same pattern (safeSQLstr / safeHTMLstr wrappers on $_GET values) applies to list_scores.php (s parameter) and show_paper.php (pid parameter).
Workaround
- Do not browse untrusted sites while logged in as an OpenConf admin or chair.
- Apply the sanitization fixes above until an upstream patch is released.
Remediation
Apply the patches documented in the advisory (safeSQLstr / safeHTMLstr on the affected parameters).