[Full-disclosure] Cross site scripting issues in s9y (CVE-2008-1386, CVE-2008-1387)

2008-04-22T00:00:00
ID SECURITYVULNS:DOC:19711
Type securityvulns
Reporter Securityvulns
Modified 2008-04-22T00:00:00

Description

Two smaller issues in s9y, published here: http://int21.de/cve/CVE-2008-1386-s9y.html http://int21.de/cve/CVE-2008-1387-s9y.html

Cross Site Scripting (XSS) in serendipity 1.3 referrer plugin, CVE-2008-1385 References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1385 http://www.s9y.org/ Description

In the referrer plugin of the blog application serendipity, the referrer string is not escaped, thus leading to a permanent XSS. Example

One can inject malicious javascript code with:

wget --referer='http://<hr onMouseOver="alert(7)">' http://someblog.com/

Workaround/Fix

If you are using the referrer plugin, upgrade to 1.3.1. Disclosure Timeline

2008-03-18 Vendor contacted 2008-03-18 Vendor answered 2008-03-18 Vendor fixed issue in trunk/branch revision 2008-04-22 Vendor released 1.3.1 2008-04-22 Advisory published CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1385 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-04-xx, http://www.hboeck.de

Cross Site Scripting (XSS) in serendipity 1.3 installer, CVE-2008-1386 References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1386 http://www.s9y.org/ Description

The installer of serendipity 1.3 has various Cross Site Scripting issues. This is considered low priority, as attack scenarios are very unlikely.

Various path fields are not escaped properly, thus filling them with javascript code will lead to XSS. MySQL error messages are not escaped, thus the database host field can also be filled with javascript. Workaround/Fix

If you are doing a fresh installation of serendipity, use version 1.3.1.

In general, don't leave uninstalled webapplications laying around on a public webspace. Disclosure Timeline

2008-03-21 Vendor contacted with patches 2008-03-21 Vendor fixed issue in trunk/branch revision 2008-04-22 Vendor released 1.3.1 2008-04-22 Advisory published CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1386 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-04-xx, http://www.hboeck.de

-- Hanno Bock Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de