SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Serendipity Vendors:   s9y.org
Serendipity Input Validation Flaw in Administrative Backend Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1031481
SecurityTracker URL:  http://securitytracker.com/id/1031481
CVE Reference:   CVE-2014-9432   (Links to External Site)
Date:  Jan 2 2015
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0-rc1; possibly earlier versions
Description:   A vulnerability was reported in Serendipity. A remote user can conduct cross-site scripting attacks.

The administrative backend does not properly filter HTML code from user-supplied input in the comments before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Serendipity software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor was notified on December 23, 2014.

Steffen Rosemann reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Serendipity software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (2.0-rc2).

The vendor's advisory is available at:

http://blog.s9y.org/archives/259-Serendipity-2.0-rc2-released.html

Vendor URL:  blog.s9y.org/archives/259-Serendipity-2.0-rc2-released.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Stored XSS Vulnerability in CMS Serendipity v.2.0-rc1

Advisory: Stored XSS Vulnerability in CMS Serendipity v.2.0-rc1
Advisory ID: SROEADV-2014-02
Affected Software: CMS Serendipity v.2.0-rc1 (Release: 20th Dec 2014)
Vendor URL: http://www.s9y.org/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Content Management System Serendipity v.2.0-rc1 has a stored XSS-vulnerability in its comment functionality. Arbitrary HTML- and/or JavaScriptcode is stored in the database. On the frontend side, it gets sanitized, while on the administrative backend, where new comments are displayed to the administrator after login, it gets immidiately executed.

==================
Technical Details:
==================

If an attacker is posting arbitrary HTML- and/or JavaScriptcode in a comment, which for example is located in the following URL, it will be stored in the database without being sanitized.

http://{HOSTNAME/DOMAIN}/serendipity/index.php?/archives/{TITLE-OF-THE-BLOG-ENTRY}.html#comments

When the comments are displayed on the frontend, they will be sanitized, while on the administrative backend it gets displayed unsanitized and is being executed, because the latest comments are shown, after an administrative user has been logged in to the following URL:

http://{HOSTNAME/DOMAIN}/serendipity/serendipity_admin.php

=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================
23-Dec-2014 - informed the developers
23-Dec-2014 - release date of this security advisory
23-Dec-2014 - response and fix by vendor
23-Dec-2014 - post on FullDisclosure

========
Credits:
========


===========
References:
===========

http://blog.s9y.org/archives/259-Serendipity-2.0-rc2-released.html
http://sroesemann.blogspot.de
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC