s9y-xss.txt

`Two smaller issues in s9y, published here:  
http://int21.de/cve/CVE-2008-1385-s9y.html  
http://int21.de/cve/CVE-2008-1386-s9y.html  
  
  
Cross Site Scripting (XSS) in serendipity 1.3 referrer plugin, CVE-2008-1385  
References  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1385  
http://www.s9y.org/  
Description  
  
In the referrer plugin of the blog application serendipity, the referrer   
string is not escaped, thus leading to a permanent XSS.  
Example  
  
One can inject malicious javascript code with:  
  
wget --referer='http://<hr onMouseOver="alert(7)">' http://someblog.com/  
  
Workaround/Fix  
  
If you are using the referrer plugin, upgrade to 1.3.1.  
Disclosure Timeline  
  
2008-03-18 Vendor contacted  
2008-03-18 Vendor answered  
2008-03-18 Vendor fixed issue in trunk/branch revision  
2008-04-22 Vendor released 1.3.1  
2008-04-22 Advisory published  
CVE Information  
  
The Common Vulnerabilities and Exposures (CVE) project has assigned the name   
CVE-2008-1385 to this issue. This is a candidate for inclusion in the CVE   
list (http://cve.mitre.org/), which standardizes names for security problems.  
Credits and copyright  
  
This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting.   
It's licensed under the creative commons attribution license.  
  
Hanno Boeck, 2008-04-xx, http://www.hboeck.de  
  
  
  
  
Cross Site Scripting (XSS) in serendipity 1.3 installer, CVE-2008-1386  
References  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1386  
http://www.s9y.org/  
Description  
  
The installer of serendipity 1.3 has various Cross Site Scripting issues. This   
is considered low priority, as attack scenarios are very unlikely.  
  
Various path fields are not escaped properly, thus filling them with   
javascript code will lead to XSS. MySQL error messages are not escaped, thus   
the database host field can also be filled with javascript.  
Workaround/Fix  
  
If you are doing a fresh installation of serendipity, use version 1.3.1.  
  
In general, don't leave uninstalled webapplications laying around on a public   
webspace.  
Disclosure Timeline  
  
2008-03-21 Vendor contacted with patches  
2008-03-21 Vendor fixed issue in trunk/branch revision  
2008-04-22 Vendor released 1.3.1  
2008-04-22 Advisory published  
CVE Information  
  
The Common Vulnerabilities and Exposures (CVE) project has assigned the name   
CVE-2008-1386 to this issue. This is a candidate for inclusion in the CVE   
list (http://cve.mitre.org/), which standardizes names for security problems.  
Credits and copyright  
  
This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting.   
It's licensed under the creative commons attribution license.  
  
Hanno Boeck, 2008-04-xx, http://www.hboeck.de  
  
--   
Hanno Böck Blog: http://www.hboeck.de/  
GPG: 3DBD3B20 Jabber/Mail: [email protected]  
`