lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALH-=7yTJORP2TNdC-a6E7e4qqmRh37qrBc7Aw1E1kXe_9TgRQ@mail.gmail.com>
Date: Tue, 23 Dec 2014 12:48:45 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Stored XSS Vulnerability in CMS Serendipity v.2.0-rc1

Advisory: Stored XSS Vulnerability in CMS Serendipity v.2.0-rc1

Advisory ID: SROEADV-2014-02

Author: Steffen Rösemann

Affected Software: CMS Serendipity v.2.0-rc1 (Release: 20th Dec 2014)

Vendor URL: http://www.s9y.org/

Vendor Status: fixed

CVE-ID: -


 ==========================

Vulnerability Description:

==========================


 The Content Management System Serendipity v.2.0-rc1 has a stored
XSS-vulnerability in its comment functionality. Arbitrary HTML- and/or
JavaScriptcode is stored in the database. On the frontend side, it gets
sanitized, while on the administrative backend, where new comments are
displayed to the administrator after login, it gets immidiately executed.


 ==================

Technical Details:

==================


 If an attacker is posting arbitrary HTML- and/or JavaScriptcode in a
comment, which for example is located in the following URL, it will be
stored in the database without being sanitized.


 http://
{HOSTNAME/DOMAIN}/serendipity/index.php?/archives/{TITLE-OF-THE-BLOG-ENTRY}.html#comments


 When the comments are displayed on the frontend, they will be sanitized,
while on the administrative backend it gets displayed unsanitized and is
being executed, because the latest comments are shown, after an
administrative user has been logged in to the following URL:


 http://{HOSTNAME/DOMAIN}/serendipity/serendipity_admin.php


 =========

Solution:

=========


 Update to the latest version


 ====================

Disclosure Timeline:

====================

22-Dec-2014 – found the vulnerability

23-Dec-2014 - informed the developers

23-Dec-2014 - release date of this security advisory

23-Dec-2014 - response and fix by vendor

23-Dec-2014 - post on FullDisclosure


 ========

Credits:

========


 Vulnerability found and advisory written by Steffen Rösemann.


 ===========

References:

===========


 http://blog.s9y.org/archives/259-Serendipity-2.0-rc2-released.html

http://sroesemann.blogspot.de

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ