CVE-2005-1783

Vulnerability

BookReview beta 1.0 mishandles certain parameters in search.htm, resulting in full server path disclosure in error messages. Additionally, multiple scripts such as add_review.htm, add_contents.htm, and index.php fail to sanitize user-supplied input in parameters like isbn, node, chapters, and page, enabling stored and reflected cross-site scripting [2]. Affected file: search.htm (path disclosure) and all module files reachable via index.php?page= [2].

Exploitation

For path disclosure, an attacker sends a request to search.htm with a missing value for the search[string] parameter or an incorrect submit[type] value; the server's error message reveals the web root path [1]. For XSS, an attacker crafts a URL containing malicious JavaScript in the vulnerable parameters (e.g., isbn) and entices a victim user to click it; no authentication or special network position is required [2]. The proof-of-concept URL http://[victim]/add_review.htm?isbn=0801052319%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Political_Science&review=true demonstrates injection into the isbn parameter [2].

Impact

Path disclosure aids reconnaissance by revealing the server's directory structure, potentially exposing other sensitive files. XSS allows an attacker to execute arbitrary scripts in the victim's browser within the trust context of the site, leading to cookie theft, session hijacking, or defacement [2]. Both issues compromise confidentiality and integrity.

Mitigation

No official fix has been released, and BookReview beta 1.0 appears to be an abandoned project [2]. Users should consider replacing the application or disabling it entirely. Input validation and output encoding must be applied to all user-controlled parameters. As of May 2005, no patch was available, and the vendor was notified but no response was reported [2]. The CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.