SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Serendipity Vendors:   s9y.org
Serendipity Input Validation Flaws in Administration Interface Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1017100
SecurityTracker URL:  http://securitytracker.com/id/1017100
CVE Reference:   CVE-2006-5499   (Links to External Site)
Updated:  Jun 2 2008
Original Entry Date:  Oct 20 2006
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.1 and prior versions
Description:   A vulnerability was reported in Serendipity. A remote user can conduct cross-site scripting attacks.

The web administration interface does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target administrative user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Serendipity software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The media manager administration page is affected.

The vendor was notified on October 5, 2006.

Stefan Esser of the Hardened-PHP Project reported this vulnerability.

The original advisory is available at:

http://www.hardened-php.net/advisory_112006.136.html

Impact:   A remote user can access the target administrative user's cookies (including authentication cookies), if any, associated with the site running the Serendipity software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fixed version (1.0.2), available at:

http://www.s9y.org/12.html

Vendor URL:  www.s9y.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Advisory 11/2006: Serendipity Weblog XSS Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: Serendipity Weblog XSS Vulnerabilities
 Release Date: 2006/10/19
Last Modified: 2006/10/19
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: Serendipity <= 1.0.1
     Severity: Multiple XSS vulnerabilities within the administration
               interface allow Cross Site Scripting attacks against
	       the blog admin
         Risk: Critical
Vendor Status: Vendor has a released an updated version
   References: http://www.hardened-php.net/advisory_112006.136.html


Overview:

   Quote from http://www.s9y.org
   "Serendipity is a PHP-powered weblog application which gives the 
    user an easy way to maintain an online diary, weblog or even a 
    complete homepage. While the default package is designed for 
    the casual blogger, Serendipity offers a flexible, expandable 
    and easy-to-use framework with the power for professional 
    applications."

   During an quick audit of Serendipity it was discovered that 
   multiple XSS vulnerabilities exist in the administration area.
   Because of this vulnerabilities it is possible for an attacker
   that tricks an admin into visiting a special prepared website
   to perform any administrative action in the blog. This includes
   posting entries or adding additional admin users.
   
   Tricking a blog admin to visit a certain website is usually as
   simple as mentioning an URL in the comments of his blog.
   

Details:

   Serendipity failed to correctly sanitize user input on the 
   media manager administration page. The content of GET variables
   were written into JavaScript strings. By using standard string 
   evasion techniques it was possible to execute arbitrary 
   JavaScript.
   
   Additionally Serendipity dynamically created a HTML form on
   the media manager administration page that contained all
   variables found in the URL as hidden fields. While the variable
   values were correctly escaped it was possible to break out
   by specifying strange variable names.
   

Proof of Concept:

   The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.


Disclosure Timeline:

   05. October 2006 - Contacted Serendipity developers by email
   18. October 2006 - Updated Serendipity was released
   19. October 2006 - Public Disclosure


Recommendation:

   It is strongly recommended to upgrade to the newest version of
   Serendipity 1.0.2 which you can download at:

   http://prdownloads.sourceforge.net/php-blog/serendipity-1.0.2.tar.gz?download
   

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFN6xcRDkUzAqGSqERAjoGAJ9coU5lI5WOMrFCsGylRpOtwX0ifACg3TZ0
074k4shsfTsLA6aXBQc72uY=
=Ognk
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC