lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 1 Sep 2015 13:42:50 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Serendipity 2.0.1 - Persistent XSS

Serendipity 2.0.1: Persistent XSS
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: 	Serendipity 2.0.1	
Fixed in: 		2.0.2
Fixed Version Link:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Vendor Contact: 	serendipity@...ergarv.de	
Vulnerability Type: 	Persistent XSS	
Remote Exploitable: 	Yes	
Reported to vendor: 	07/21/2015	
Disclosed to public: 	09/01/2015	
Release mode: 		Coordinated release	
CVE: 			n/a	
Credits 		Tim Coen of Curesec GmbH	

2. Vulnerability Description

There is a persistent XSS vulnerability in Serendipity 2.0.1 when using
the default 2k11 theme. It requires a click of the victim to trigger.

The problem exists because the theme reads out the name field of a
comment using the jQuery .text() function, which decodes the previously
properly encoded name. It then inserts the result back into the DOM.

3. Proof of Concept

    Add comment with name <img src="no" onerror="alert(1)">
    Click "reply" on that comment

The admin may be tricked into clicking on reply by leaving a question as
comment or via ClickJacking.

4. Code


 	    include/functions_comments.inc.php:180
		    function serendipity_displayCommentForm
		    [...]
			    'commentform_replyTo'        =>
serendipity_generateCommentList($id, $comments,
((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)),

	    include/functions_comments.inc.php:306
		    function serendipity_generateCommentList(
		    [...]
		    $retval .= '<option value="' . $comment['id'] . '"'. ($selected ==
$comment['id'] || (isset($serendipity['POST']['replyTo']) &&
$comment['id'] == $serendipity['POST']['replyTo']) ? '
selected="selected"' : '') .'>' . str_repeat(' ', $level * 2) . '#' .
$indent . $i . ': ' . (empty($comment['author']) ? ANONYMOUS :
serendipity_specialchars($comment['author']))

        js/2k11.min.js
            a("#serendipity_replyTo :selected").text()

5. Solution

To mitigate this issue please upgrade at least to version 2.0.2:

https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Please note that a newer version might already be available.

5. Report Timeline

07/21/2015 	Informed Vendor about Issue
07/24/2015 	Vendor releases Version 2.0.2
09/01/2015 	Disclosed to public

6. Blog Reference
http://blog.curesec.com/article/blog/Serendipity-201-Persistent-XSS-51.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ