SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Serendipity Vendors:   s9y.org
Serendipity Input Validation Hole in Multi-User Back End Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1019502
SecurityTracker URL:  http://securitytracker.com/id/1019502
CVE Reference:   CVE-2008-0124   (Links to External Site)
Date:  Feb 26 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.3-beta1
Description:   A vulnerability was reported in Serendipity. A remote user can conduct cross-site scripting attacks.

When configured for a multi-user environment, the back end does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Serendipity software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'Real name' field in the 'Personal Settings' Dialogue is affected.

The media library allows a remote authenticated user to upload files in arbitrary formats.

The vendor was notified on February 1, 2008.

The original advisory is available at:

http://int21.de/cve/CVE-2008-0124-s9y.html

Hanno Boeck of schokokeks.org reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Serendipity software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (1.3-beta1).

The vendor's advisory is available at:

http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html

Vendor URL:  www.s9y.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Backend Cross Site Scripting (XSS) in Serendipity

--===============1143910477==
Content-Type: multipart/signed; boundary="nextPart1564807.vc5NVzvBcP";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

--nextPart1564807.vc5NVzvBcP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Source:
http://int21.de/cve/CVE-2008-0124-s9y.html

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-0124
http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html
http://hboeck.de/archives/591-Cross-Site-Scripting-XSS-in-the-backend-and-i=
n-the-installer.html
Description

Serendipity (S9Y) is a popular blogging system.
If used in a multiuser environment, one user can inject javascript code int=
o=20
certain fields in the backend to steal the cookies and hijack the accounts =
of=20
other users.

Serendipity has the trustxss plugin to prevent XSS between users on multius=
er=20
setups, but that doesn't catch these issues.

In the =C2=BBPersonal Settings=C2=AB-Dialogue, the =C2=BBReal name=C2=AB fi=
eld can be filled with=20
javascript, which appears on newly written articles. The =C2=BBUsername=C2=
=AB field can=20
also contain javascript, but there's no attack vector, as this field is onl=
y=20
shown to the user itself.

Beside, the media library accepts uploads from any file format, including h=
tm,=20
html and js, which obviously also leads to xss.
Workaround/Fix

If you have a multiuser-blog and don't trust all users, you need to install=
=20
the trustxss plugin and should immediately upgrade to 1.3-beta1.
If you're using a single-user blog, you are not affected.
Disclosure Timeline

2008-02-01 Vendor contacted
2008-02-01 Vendor fixed svn
2007-02-25 Vendor released 1.3-beta1
CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the nam=
e=20
CVE-2008-0124 to this issue. This is a candidate for inclusion in the CVE=20
list (http://cve.mitre.org/), which standardizes names for security problem=
s.
Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosti=
ng.=20
It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-02-26, http://www.hboeck.de

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de

--nextPart1564807.vc5NVzvBcP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQBHxB4cr2QksT29OyARAjiPAKCgoZ8JTeQGlGFNCagzx2IZyOMRSwCeKJfo
buj5guVwz9Alpki/5Avak7E=
=w9Bt
-----END PGP SIGNATURE-----

--nextPart1564807.vc5NVzvBcP--


--===============1143910477==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1143910477==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC