-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hardened-PHP Project www.hardened-php.net
-= Security Advisory =-
Advisory: Serendipity Weblog XSS Vulnerabilities Release Date: 2006/10/19 Last Modified: 2006/10/19 Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]]
Application: Serendipity <= 1.0.1 Severity: Multiple XSS vulnerabilities within the administration interface allow Cross Site Scripting attacks against the blog admin Risk: Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_112006.136.html
Quote from http://www.s9y.org "Serendipity is a PHP-powered weblog application which gives the user an easy way to maintain an online diary, weblog or even a complete homepage. While the default package is designed for the casual blogger, Serendipity offers a flexible, expandable and easy-to-use framework with the power for professional applications."
During an quick audit of Serendipity it was discovered that multiple XSS vulnerabilities exist in the administration area. Because of this vulnerabilities it is possible for an attacker that tricks an admin into visiting a special prepared website to perform any administrative action in the blog. This includes posting entries or adding additional admin users.
Tricking a blog admin to visit a certain website is usually as simple as mentioning an URL in the comments of his blog.
Additionally Serendipity dynamically created a HTML form on the media manager administration page that contained all variables found in the URL as hidden fields. While the variable values were correctly escaped it was possible to break out by specifying strange variable names.
Proof of Concept:
The Hardened-PHP Project is not going to release exploits for this vulnerability to the public.
It is strongly recommended to upgrade to the newest version of Serendipity 1.0.2 which you can download at:
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2006 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFN6xcRDkUzAqGSqERAjoGAJ9coU5lI5WOMrFCsGylRpOtwX0ifACg3TZ0 074k4shsfTsLA6aXBQc72uY= =Ognk -----END PGP SIGNATURE-----