Serendipity Input Validation Hole in Multi-User Back End Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1019502|
SecurityTracker URL: http://securitytracker.com/id/1019502
(Links to External Site)
Date: Feb 26 2008
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 1.3-beta1|
A vulnerability was reported in Serendipity. A remote user can conduct cross-site scripting attacks.|
When configured for a multi-user environment, the back end does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Serendipity software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The 'Real name' field in the 'Personal Settings' Dialogue is affected.
The media library allows a remote authenticated user to upload files in arbitrary formats.
The vendor was notified on February 1, 2008.
The original advisory is available at:
Hanno Boeck of schokokeks.org reported this vulnerability.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Serendipity software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
The vendor has issued a fix (1.3-beta1).|
The vendor's advisory is available at:
Vendor URL: www.s9y.org/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [Full-disclosure] Backend Cross Site Scripting (XSS) in Serendipity|
Content-Type: multipart/signed; boundary="nextPart1564807.vc5NVzvBcP";
Serendipity (S9Y) is a popular blogging system.
certain fields in the backend to steal the cookies and hijack the accounts =
Serendipity has the trustxss plugin to prevent XSS between users on multius=
setups, but that doesn't catch these issues.
In the =C2=BBPersonal Settings=C2=AB-Dialogue, the =C2=BBReal name=C2=AB fi=
eld can be filled with=20
=AB field can=20
shown to the user itself.
Beside, the media library accepts uploads from any file format, including h=
html and js, which obviously also leads to xss.
If you have a multiuser-blog and don't trust all users, you need to install=
the trustxss plugin and should immediately upgrade to 1.3-beta1.
If you're using a single-user blog, you are not affected.
2008-02-01 Vendor contacted
2008-02-01 Vendor fixed svn
2007-02-25 Vendor released 1.3-beta1
The Common Vulnerabilities and Exposures (CVE) project has assigned the nam=
CVE-2008-0124 to this issue. This is a candidate for inclusion in the CVE=20
list (http://cve.mitre.org/), which standardizes names for security problem=
Credits and copyright
This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosti=
It's licensed under the creative commons attribution license.
Hanno Boeck, 2008-02-26, http://www.hboeck.de
Hanno B=C3=B6ck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: firstname.lastname@example.org
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
Content-Type: text/plain; charset="us-ascii"
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/