#8 Two major security loopholes when running multiple DBs

[Anonymous]

Version affected by this issue: phpBibliography 1.1.1
Host system tested on: CentOS 5.7 Linux running Apache 2.2.3-53 with PHP 5.1.6-27 on MySQL 5.0.77-4 (using backported RedHat security fixes)

The problem:

When setting up two or more phpBibliographies with different users on one server, logged in users from database A can just surf to the login URL of database B on the same host and are instantly logged in with write permissions on the bibliography, even if the specific username does not even exist in database B! Any phpBibliography user on that host could potentially attack and destroy any other phpBibliography running on that host!

Additionally, it is possible to easily create a scenario where a hypothetical user B (our attacker) on database B can even change user A's password on database A. The scenario works like this:

User A logs in to database A, surfs to the Admin menu / List users page and changes his password, then closes the browser window.

User B logs in to database B as usual. He then re-uses his login session by surfing to database A's login page directly. He gets instantly logged in even though his user does not exist in database A. He surfs to Admin menu / List users and gets presented with user A's username already filled in in the "Username" field. Now he can actually successfully attack User A by changing his password (I was extremely surprised that this worked!!).

Thus, users can write to phpBibliographies they shouldn't be allowed to write to under certain conditions AND they can even attack other users in other phpBibliographies running on the same host by changing their passwords under certain conditions. This is quite bad actually.