SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Forum/Board/Portal)  >   Serendipity Vendors:   s9y.org
Serendipity Input Validation Holes in the Installer and Referrer Plugin Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1019915
SecurityTracker URL:  http://securitytracker.com/id/1019915
CVE Reference:   CVE-2008-1385, CVE-2008-1386   (Links to External Site)
Date:  Apr 22 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3 and prior versions
Description:   Two vulnerabilities were reported in Serendipity. A remote user can conduct cross-site scripting attacks.

The referrer plugin does not properly filter HTML code from user-supplied input in the HTTP Referer string before displaying the input [CVE-2008-1385]. A remote user can supply a specially crafted HTTP Referer value. When the target user views the target site, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the Serendipity software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit is provided:

wget --referer=3D'http://<hr onMouseOver=3D"alert(7)">' http://[target]/

Also, the Serendipity installer does not properly filter HTML code from user-supplied input before displaying the input [CVE-2008-1386].

The vendor was notified of the two vulnerabilities on March 18 and 21, 2008, respectively.

The original advisories are available at:

http://int21.de/cve/CVE-2008-1385-s9y.html
http://int21.de/cve/CVE-2008-1386-s9y.html

Hanno Boeck reported this vulnerability.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Serendipity software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fixed version (1.3.1), available at:

http://www.s9y.org/
Vendor URL:  www.s9y.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 22 Apr 2008 12:25:07 +0200
Subject:  Cross site scripting issues in s9y (CVE-2008-1386, CVE-2008-1387)

--nextPart5625168.xi72R8CjPb
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Two smaller issues in s9y, published here:
http://int21.de/cve/CVE-2008-1386-s9y.html
http://int21.de/cve/CVE-2008-1387-s9y.html


Cross Site Scripting (XSS) in serendipity 1.3 referrer plugin, CVE-2008-1385
References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-1385
http://www.s9y.org/
Description

In the referrer plugin of the blog application serendipity, the referrer=20
string is not escaped, thus leading to a permanent XSS.
Example

One can inject malicious javascript code with:

wget --referer=3D'http://<hr onMouseOver=3D"alert(7)">' http://someblog.com/

Workaround/Fix

If you are using the referrer plugin, upgrade to 1.3.1.
Disclosure Timeline

2008-03-18 Vendor contacted
2008-03-18 Vendor answered
2008-03-18 Vendor fixed issue in trunk/branch revision
2008-04-22 Vendor released 1.3.1
2008-04-22 Advisory published
CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the nam=
e=20
CVE-2008-1385 to this issue. This is a candidate for inclusion in the CVE=20
list (http://cve.mitre.org/), which standardizes names for security problem=
s.
Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosti=
ng.=20
It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-04-xx, http://www.hboeck.de




Cross Site Scripting (XSS) in serendipity 1.3 installer, CVE-2008-1386
References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-1386
http://www.s9y.org/
Description

The installer of serendipity 1.3 has various Cross Site Scripting issues. T=
his=20
is considered low priority, as attack scenarios are very unlikely.

Various path fields are not escaped properly, thus filling them with=20
javascript code will lead to XSS. MySQL error messages are not escaped, thu=
s=20
the database host field can also be filled with javascript.
Workaround/Fix

If you are doing a fresh installation of serendipity, use version 1.3.1.

In general, don't leave uninstalled webapplications laying around on a publ=
ic=20
webspace.
Disclosure Timeline

2008-03-21 Vendor contacted with patches
2008-03-21 Vendor fixed issue in trunk/branch revision
2008-04-22 Vendor released 1.3.1
2008-04-22 Advisory published
CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the nam=
e=20
CVE-2008-1386 to this issue. This is a candidate for inclusion in the CVE=20
list (http://cve.mitre.org/), which standardizes names for security problem=
s.
Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosti=
ng.=20
It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-04-xx, http://www.hboeck.de

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de

--nextPart5625168.xi72R8CjPb
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEABECAAYFAkgNvQMACgkQr2QksT29OyAqdgCeKsGasUmGAe/VTppg4MhGLMjP
+pYAn17Lw1k4RkIDMRACnfBg+88SZPMB
=wX15
-----END PGP SIGNATURE-----

--nextPart5625168.xi72R8CjPb--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC