CMS Serendipity 2.0-rc1 Cross Site Scripting

2014-12-23T00:00:00
ID PACKETSTORM:129709
Type packetstorm
Reporter Steffen Roesemann
Modified 2014-12-23T00:00:00

Description

                                        
                                            `Advisory: Stored XSS Vulnerability in CMS Serendipity v.2.0-rc1  
  
Advisory ID: SROEADV-2014-02  
  
Author: Steffen Rösemann  
  
Affected Software: CMS Serendipity v.2.0-rc1 (Release: 20th Dec 2014)  
  
Vendor URL: http://www.s9y.org/  
  
Vendor Status: fixed  
  
CVE-ID: -  
  
  
==========================  
  
Vulnerability Description:  
  
==========================  
  
  
The Content Management System Serendipity v.2.0-rc1 has a stored  
XSS-vulnerability in its comment functionality. Arbitrary HTML- and/or  
JavaScriptcode is stored in the database. On the frontend side, it gets  
sanitized, while on the administrative backend, where new comments are  
displayed to the administrator after login, it gets immidiately executed.  
  
  
==================  
  
Technical Details:  
  
==================  
  
  
If an attacker is posting arbitrary HTML- and/or JavaScriptcode in a  
comment, which for example is located in the following URL, it will be  
stored in the database without being sanitized.  
  
  
http://  
{HOSTNAME/DOMAIN}/serendipity/index.php?/archives/{TITLE-OF-THE-BLOG-ENTRY}.html#comments  
  
  
When the comments are displayed on the frontend, they will be sanitized,  
while on the administrative backend it gets displayed unsanitized and is  
being executed, because the latest comments are shown, after an  
administrative user has been logged in to the following URL:  
  
  
http://{HOSTNAME/DOMAIN}/serendipity/serendipity_admin.php  
  
  
=========  
  
Solution:  
  
=========  
  
  
Update to the latest version  
  
  
====================  
  
Disclosure Timeline:  
  
====================  
  
22-Dec-2014 – found the vulnerability  
  
23-Dec-2014 - informed the developers  
  
23-Dec-2014 - release date of this security advisory  
  
23-Dec-2014 - response and fix by vendor  
  
23-Dec-2014 - post on FullDisclosure  
  
  
========  
  
Credits:  
  
========  
  
  
Vulnerability found and advisory written by Steffen Rösemann.  
  
  
===========  
  
References:  
  
===========  
  
  
http://blog.s9y.org/archives/259-Serendipity-2.0-rc2-released.html  
  
http://sroesemann.blogspot.de  
  
  
`