Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Serendipity Vendors:
Serendipity Input Validation Hole in Multi-User Back End Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1019502
SecurityTracker URL:
CVE Reference:   CVE-2008-0124   (Links to External Site)
Date:  Feb 26 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.3-beta1
Description:   A vulnerability was reported in Serendipity. A remote user can conduct cross-site scripting attacks.

When configured for a multi-user environment, the back end does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Serendipity software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'Real name' field in the 'Personal Settings' Dialogue is affected.

The media library allows a remote authenticated user to upload files in arbitrary formats.

The vendor was notified on February 1, 2008.

The original advisory is available at:

Hanno Boeck of reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Serendipity software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (1.3-beta1).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Backend Cross Site Scripting (XSS) in Serendipity

Content-Type: multipart/signed; boundary="nextPart1564807.vc5NVzvBcP";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline



Serendipity (S9Y) is a popular blogging system.
If used in a multiuser environment, one user can inject javascript code int=
certain fields in the backend to steal the cookies and hijack the accounts =
other users.

Serendipity has the trustxss plugin to prevent XSS between users on multius=
setups, but that doesn't catch these issues.

In the =C2=BBPersonal Settings=C2=AB-Dialogue, the =C2=BBReal name=C2=AB fi=
eld can be filled with=20
javascript, which appears on newly written articles. The =C2=BBUsername=C2=
=AB field can=20
also contain javascript, but there's no attack vector, as this field is onl=
shown to the user itself.

Beside, the media library accepts uploads from any file format, including h=
html and js, which obviously also leads to xss.

If you have a multiuser-blog and don't trust all users, you need to install=
the trustxss plugin and should immediately upgrade to 1.3-beta1.
If you're using a single-user blog, you are not affected.
Disclosure Timeline

2008-02-01 Vendor contacted
2008-02-01 Vendor fixed svn
2007-02-25 Vendor released 1.3-beta1
CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the nam=
CVE-2008-0124 to this issue. This is a candidate for inclusion in the CVE=20
list (, which standardizes names for security problem=
Credits and copyright

This vulnerability was discovered by Hanno Boeck of webhosti=
It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-02-26,

Hanno B=C3=B6ck		Blog:
GPG: 3DBD3B20		Jabber/Mail:

Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

Version: GnuPG v2.0.7 (GNU/Linux)



Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC