serendipityfreetag-xss.txt

`* Advisory: Serendipity Freetag-plugin XSS vulnerability  
  
* Application: Serendipity Freetag-plugin =< 2.95  
* Category: Web application  
* Class: Cross Site Scripting (XSS)  
* Release date: 08. February 2008  
* Last updated: 08. February 2008  
* Remote: Yes  
* Local: No  
* CVE: Not yet assigned  
* Credits: Alexander Brachmann ([email protected])  
* Author of advisory: Alexander Brachmann ([email protected])  
* Severity: An XSS flaw was discovered in the optional Freetag-plugin   
for Serendipity (popular weblog application). E.g., this could lead to a   
hijacked Serendipity account.  
* Risk: High  
* Vendor/Project/Programmer(s): Garvin Hicking, Jonathan Arkell, Grischa   
Brockhaus  
* Solution status: The programmers have fixed this flaw in Freetag   
version 2.96.  
* References:  
[1]   
http://blog.s9y.org/archives/190-Freetag-plugin-updated-to-prevent-XSS.html  
[2] http://www.bitsploit.de/uploads/Code/200802080000/  
[3] http://www.bitsploit.de/uploads/Bilder/200802101012/s9y-xss.jpg  
  
  
* Overview:  
Quote from www.s9y.org:  
"Serendipity is a PHP-powered weblog application which gives the user an   
easy way to maintain an online diary, weblog or even a complete   
homepage. While the default package is designed for the casual blogger,   
Serendipity offers a flexible, expandable and easy-to-use framework with   
the power for professional applications.  
Casual users appreciate the way Serendipity's sophisticated plugin   
architecture allows you to easily modify both the appearance of your   
blog and its features.  
You can install more than 120 plugins with just one click, instantly   
enhancing your blog's functionality."  
  
While testing Serendipity an XSS flaw was discovered in the optional   
plugin for tagging entries called "Freetag". For example, this could   
lead to a hijacked Serendipity account.  
  
  
* Details:  
The Freetag-plugin displays the tag name, specified in a URL, back to   
the user.  
Due to a defective sanitization of the user's input, it is possible to   
inject arbitrary code which will be reflected on the website.  
  
  
* Proof of Concept (PoC):  
URL:   
http://www.example.com/plugin/tag/%3Cdiv%20style=width:expression(alert(document.cookie));%3E  
Hint: PoC does currently work in Microsoft Internet Explorer 6,   
Microsoft Internet Explorer 7 and Netscape Navigator 8.1+ (in Internet   
Explorer rendering mode) only.  
  
  
* Solution:  
We strongly recommend you to upgrade to Freetag version 2.96 which fixes   
this flaw.  
URL:   
http://spartacus.s9y.org/cvs/additional_plugins/serendipity_event_freetag.zip  
  
  
* Disclosure timeline:  
05. February 2008 - Flaw was discovered and re-checked.  
06. February 2008 - Programmers have been notified. (Due to responsible   
disclosure.)  
06. February 2008 - Fix was committed.  
07. February 2008 - Freetag 2.96 released to the public.  
08. February 2008 - Public disclosure.  
  
  
* GPG:  
E-Mail: [email protected]  
Public key: http://www.bitsploit.de/gpg/domains/public_key.asc  
Key ID: 0x75093340  
Key Fingerprint: D542 669B 02F8 7874 F75A A44C AA0B 41FC 7509 3340  
  
  
* Copyright:  
Creative Commons - by - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
`