Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Serendipity Input Validation Hole in Multi-User Back End Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1019502
|
|
SecurityTracker URL: http://securitytracker.com/id?1019502
|
|
CVE Reference: CVE-2008-0124
(Links to External Site)
|
Date: Feb 26 2008
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.3-beta1
|
Description: A vulnerability was reported in Serendipity. A remote user can conduct cross-site scripting attacks.
When configured for a multi-user environment, the back end does not properly filter HTML code from user-supplied input before displaying
the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate
from the site running the Serendipity software and will run in the security context of that site. As a result, the code will be
able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently
submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The 'Real name'
field in the 'Personal Settings' Dialogue is affected.
The media library allows a remote authenticated user to upload files in
arbitrary formats.
The vendor was notified on February 1, 2008.
The original advisory is available at:
http://int21.de/cve/CVE-2008-0124-s9y.html
Hanno
Boeck of schokokeks.org reported this vulnerability.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Serendipity software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: The vendor has issued a fix (1.3-beta1).
The vendor's advisory is available at:
http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html
|
Vendor URL: www.s9y.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Hanno Boeck" <hanno@hboeck.de>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 26 Feb 2008 15:11:40 +0100
From: "Hanno =?utf-8?q?B=C3=B6ck?=" <hanno@hboeck.de>
Subject: [Full-disclosure] Backend Cross Site Scripting (XSS) in Serendipity
|
--===============1143910477==
Content-Type: multipart/signed; boundary="nextPart1564807.vc5NVzvBcP";
protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
--nextPart1564807.vc5NVzvBcP
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Source:
http://int21.de/cve/CVE-2008-0124-s9y.html
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-0124
http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html
http://hboeck.de/archives/591-Cross-Site-Scripting-XSS-in-the-backend-and-i=
n-the-installer.html
Description
Serendipity (S9Y) is a popular blogging system.
If used in a multiuser environment, one user can inject javascript code int=
o=20
certain fields in the backend to steal the cookies and hijack the accounts =
of=20
other users.
Serendipity has the trustxss plugin to prevent XSS between users on multius=
er=20
setups, but that doesn't catch these issues.
In the =C2=BBPersonal Settings=C2=AB-Dialogue, the =C2=BBReal name=C2=AB fi=
eld can be filled with=20
javascript, which appears on newly written articles. The =C2=BBUsername=C2=
=AB field can=20
also contain javascript, but there's no attack vector, as this field is onl=
y=20
shown to the user itself.
Beside, the media library accepts uploads from any file format, including h=
tm,=20
html and js, which obviously also leads to xss.
Workaround/Fix
If you have a multiuser-blog and don't trust all users, you need to install=
=20
the trustxss plugin and should immediately upgrade to 1.3-beta1.
If you're using a single-user blog, you are not affected.
Disclosure Timeline
2008-02-01 Vendor contacted
2008-02-01 Vendor fixed svn
2007-02-25 Vendor released 1.3-beta1
CVE Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the nam=
e=20
CVE-2008-0124 to this issue. This is a candidate for inclusion in the CVE=20
list (http://cve.mitre.org/), which standardizes names for security problem=
s.
Credits and copyright
This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosti=
ng.=20
It's licensed under the creative commons attribution license.
Hanno Boeck, 2008-02-26, http://www.hboeck.de
=2D-=20
Hanno B=C3=B6ck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de
--nextPart1564807.vc5NVzvBcP
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
iD8DBQBHxB4cr2QksT29OyARAjiPAKCgoZ8JTeQGlGFNCagzx2IZyOMRSwCeKJfo
buj5guVwz9Alpki/5Avak7E=
=w9Bt
-----END PGP SIGNATURE-----
--nextPart1564807.vc5NVzvBcP--
--===============1143910477==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1143910477==--
|
|
Go to the Top of This SecurityTracker Archive Page
|
