BibCiter

As published in many places, like this one, BibCiter has been found to have multiple SQL injection vulnerabilities, due to poor treatment of variables passed through URLs (post methods) before being processed.

Here’s some “official” announcement:

BibCiter Multiple SQL Injection Vulnerabilities
SECUNIA ADVISORY ID: SA33555
VERIFY ADVISORY: http://secunia.com/advisories/33555/
CRITICAL: Moderately critical
IMPACT: Manipulation of data
WHERE: >From remote
SOFTWARE: BibCiter 1.x http://secunia.com/advisories/product/21050/
DESCRIPTION: nuclear has discovered some vulnerabilities in BibCiter, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the “idp” parameter in reports/projects.php, to the “idc” parameter in reports/contacts.php, and to the “idu” parameter in reports/users.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
These vulnerabilities are confirmed in version 1.4. Other versions may also be affected.
SOLUTION: Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY: nuclear
ORIGINAL ADVISORY: http://milw0rm.com/exploits/7814

The solution requires time to code… time that I don’t have in the short run. So, protect yourselves at the .htaccess level.

Here’s how:

• http://www.webproworld.com/internet-security-discussion-forum/71933-latest-injection-attack-declare-set-cast.html#post393209
• http://www.webproworld.com/internet-security-discussion-forum/71933-latest-injection-attack-declare-set-cast.html#post393724

Thanks to Nassim Ettaki and David Alcubierre for valuous help :)

BibCiter v1.4 is now out.

Besides some minor issues concerning citing styles, it does fix a critical bug in the autentication process. Detected by Emilio Quintana and solved (thank you!) by Wu Jiewen, the problem was that the lenght of the password field was too short for MySQL 4.1, that needed a longer field to feed in the whole hash value. I wouldn’t have figured ever, so thanks again Jiewen!

Uh, there was a problem with a search filter that made that filter not to work properly (actually, didn’t work at all).

So we fixed it.

And improved some searching routines too.

Download BibCiter v1.3.1

New release - version 1.3 - comes full of new features:

RSS feeds

Besides the existing feature to subscribe to the new works on the site, now:

• added RSS feed for each author
• added RSS feed for each category
• added RSS feed for each bibliography
• improved the way RSS for new works worked. Old rss20.xml has been deprecated

Web 2.0 features

• included tagclouds in the bibliographies views
• added the possibility to save works and authors to delicious

Multilanguage

Added the localization feature and now the site is in English and can be switched to

• (partially) in Spanish
• (partially) in Catalan

Other improvements

• added a new bibliographic style, “no links”, to print cleanest data
• improved the output of the searches
• eased the way related and included projects are searched on combos
• improved the way export to BibTeX files are generated

Bugs fixed

• improved the form for projects, thus avoiding an error when assigning twice the same author to the same project
• fixed problem in bibliography sorting
• fixed some errors in the login procedures, due to malfunctions of cookies

Download BibCiter v1.3

An incomprehensible error made it impossible for some users to install the previous version (v1.1). Incomprehensible, among other things because only retyping part of the install code, but without changing a single comma, make it work again. Weird.

Indeed. Some install features improved and added.

Some improvements too in the Projects form to better manage information.

I’ve created a plugin for WordPress so those using both applications together (WordPress and BibCiter) can easily cite in the former content at the later.

The plugin can add from one to three WordPress shortcodes so that embedding BibCiter citations in blog posts do not require but knowing the ID of a Work or an Author. The shortcodes are the following:

• BibCiter_Work embeds the “author (year) work”, the work being linked to its file on BibCiter
• BibCiter_Title just embeds the work’s title, linking it to its file on Bibciter
• BibCiter_Author embeds an author’s name, linking it to its file on Bibciter

To properly work, both BibCiter and WordPress must be installed under the same domain - though with simplest coding this can be easily changed.

Download the plugin

Here comes v1.1. The main change has been some little adaptations to be able to support a WordPress plugin and some issues about shifting towards charset UTF-8. I’m sorry about the latter because no doubt it will cause problems with some characters (especially for those using BibCiter with languages full of “special” characters). There’s some stuff on the Internet that can help in the transition. Patience will also play a good part.

Improvements in this v1.1 release:

• changed charset to utf-8. Might give some problems if updating
• transformed the database and files to support UTF-8 character coding
• improved the way styles are called (as a variable, not just printed along)
• made some minor changes to be able to work with a WordPress plugin
• created a WordPress plugin so that works and authors can be called from a blog post

I’m really proud to announce that, at last, v1.0 of BibCiter will see the light.

After two years and a half coding (!!!) and intensive use, I guess the creature is ready to have a life as a decent 1.0, no 0.anything, no betas.

This does not mean there is nothing to be improved, but let’s leave these improvements for v1.x or v2.0.

Improvements in this v1.0 release:

• way, way, way improved the way projects are cited, including huge improvement in bibliography citing styles management
• solved smallest issue with published works that are “references” (e.g. journals, reviews…) and have no publishing date/year
• slightly improved the exportation to BibTEX format
• improved accessibility
• improved comparison between two bibliographies
• added the possibility to “remember” the user logged in (setting a cookie up)
• in searches, if “not found” or results not satisfactory, possibility to directly add the query as a contact/work
• added the “title” attribute to authors when listed with links, showing the full name of the author instead of the “formal/citation” name

By the way, I dediced to remove the addition of sample data in the installation process, because I thought it just added noise and, sometimes, was a source of problems. I don’t think anybody’s gonna miss this ;)

This is a pretty good update with pretty improved features.

• The search form on the sidebar has been improved to search works by default or browse and advanced search form to specify other ways of searching
• works that are not published (e.g. forthcoming) are way better managed (and presented in reports) now
• for those who need to embed citations in blogs, wikis or other website pages, I added a new presentation style (”web_en”) that lists bibliographies in APA style leaving only a link to your file page, so you can send your visitors to your BibCiter installation
• I also enabled the possibility to compare whatever two bibliographies, regardless if they are hidden and/or public. Now you can choose to list the bibliographies to compare according to your desired attributes

Over all, the most important update in the last version is that installation does not crack :P
I was noticed that the installation did not work. Actually, the installation (strictly speaking) did - at least this is my impression - and what did not succeeded was importing some sample data so BibCiter does not appear completely empty. I fixed this.

So, the new things this time are:

- added possibility to sort by year in bibliographies (useful to quicky glance the “range” of a bibliography)
- chaged the sorting option of bibliographies appearing in admin mode besides works: now by ID
- improved bibligraphy presentation filtering
- improved contact presentation filtering
- solved install problem