Home / exploits CMS Serendipity 2.0-rc1 Cross Site Scripting
Posted on 24 December 2014
Advisory: Stored XSS Vulnerability in CMS Serendipity v.2.0-rc1 Advisory ID: SROEADV-2014-02 Author: Steffen R̦semann Affected Software: CMS Serendipity v.2.0-rc1 (Release: 20th Dec 2014) Vendor URL: http://www.s9y.org/ Vendor Status: fixed CVE-ID: - ========================== Vulnerability Description: ========================== The Content Management System Serendipity v.2.0-rc1 has a stored XSS-vulnerability in its comment functionality. Arbitrary HTML- and/or JavaScriptcode is stored in the database. On the frontend side, it gets sanitized, while on the administrative backend, where new comments are displayed to the administrator after login, it gets immidiately executed. ================== Technical Details: ================== If an attacker is posting arbitrary HTML- and/or JavaScriptcode in a comment, which for example is located in the following URL, it will be stored in the database without being sanitized. http:// {HOSTNAME/DOMAIN}/serendipity/index.php?/archives/{TITLE-OF-THE-BLOG-ENTRY}.html#comments When the comments are displayed on the frontend, they will be sanitized, while on the administrative backend it gets displayed unsanitized and is being executed, because the latest comments are shown, after an administrative user has been logged in to the following URL: http://{HOSTNAME/DOMAIN}/serendipity/serendipity_admin.php ========= Solution: ========= Update to the latest version ==================== Disclosure Timeline: ==================== 22-Dec-2014 Рfound the vulnerability 23-Dec-2014 - informed the developers 23-Dec-2014 - release date of this security advisory 23-Dec-2014 - response and fix by vendor 23-Dec-2014 - post on FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen R̦semann. =========== References: =========== http://blog.s9y.org/archives/259-Serendipity-2.0-rc2-released.html http://sroesemann.blogspot.de
