Serendipity Weblog XSS Vulnerabilities

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-

Advisory: Serendipity Weblog XSS Vulnerabilities
Release Date: 2006/10/19
Last Modified: 2006/10/19
Author: Stefan Esser [sesser (at) hardened-php (dot) net [email
concealed]]

Application: Serendipity <= 1.0.1
Severity: Multiple XSS vulnerabilities within the administration
interface allow Cross Site Scripting attacks against
the blog admin
Risk: Critical
Vendor Status: Vendor has a released an updated version
References: http://www.hardened-php.net/advisory_112006.136.html

Overview:

Quote from http://www.s9y.org
"Serendipity is a PHP-powered weblog application which gives the
user an easy way to maintain an online diary, weblog or even a
complete homepage. While the default package is designed for
the casual blogger, Serendipity offers a flexible, expandable
and easy-to-use framework with the power for professional
applications."

During an quick audit of Serendipity it was discovered that
multiple XSS vulnerabilities exist in the administration area.
Because of this vulnerabilities it is possible for an attacker
that tricks an admin into visiting a special prepared website
to perform any administrative action in the blog. This includes
posting entries or adding additional admin users.

Tricking a blog admin to visit a certain website is usually as
simple as mentioning an URL in the comments of his blog.

Details:

Serendipity failed to correctly sanitize user input on the
media manager administration page. The content of GET variables
were written into JavaScript strings. By using standard string
evasion techniques it was possible to execute arbitrary
JavaScript.

Additionally Serendipity dynamically created a HTML form on
the media manager administration page that contained all
variables found in the URL as hidden fields. While the variable
values were correctly escaped it was possible to break out
by specifying strange variable names.

Proof of Concept:

The Hardened-PHP Project is not going to release exploits for
this vulnerability to the public.

Disclosure Timeline:

05. October 2006 - Contacted Serendipity developers by email
18. October 2006 - Updated Serendipity was released
19. October 2006 - Public Disclosure

Recommendation:

It is strongly recommended to upgrade to the newest version of
Serendipity 1.0.2 which you can download at:

http://prdownloads.sourceforge.net/php-blog/serendipity-1.0.2.tar.gz?dow
nload

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFN6xcRDkUzAqGSqERAjoGAJ9coU5lI5WOMrFCsGylRpOtwX0ifACg3TZ0
074k4shsfTsLA6aXBQc72uY=
=Ognk
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Serendipity Weblog XSS Vulnerabilities