Serendipity 2.0.1 Cross Site Scripting
Posted on 04 September 2015
Serendipity 2.0.1: Persistent XSS Security Advisory – Curesec Research Team 1. Introduction Affected Product: Serendipity 2.0.1 Fixed in: 2.0.2 Fixed Version Link: https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip Vendor Contact: serendipity@supergarv.de Vulnerability Type: Persistent XSS Remote Exploitable: Yes Reported to vendor: 07/21/2015 Disclosed to public: 09/01/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is a persistent XSS vulnerability in Serendipity 2.0.1 when using the default 2k11 theme. It requires a click of the victim to trigger. The problem exists because the theme reads out the name field of a comment using the jQuery .text() function, which decodes the previously properly encoded name. It then inserts the result back into the DOM. 3. Proof of Concept Add comment with name <img src="no" onerror="alert(1)"> Click "reply" on that comment The admin may be tricked into clicking on reply by leaving a question as comment or via ClickJacking. 4. Code include/functions_comments.inc.php:180 function serendipity_displayCommentForm [...] 'commentform_replyTo' => serendipity_generateCommentList($id, $comments, ((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)), include/functions_comments.inc.php:306 function serendipity_generateCommentList( [...] $retval .= '<option value="' . $comment['id'] . '"'. ($selected == $comment['id'] || (isset($serendipity['POST']['replyTo']) && $comment['id'] == $serendipity['POST']['replyTo']) ? ' selected="selected"' : '') .'>' . str_repeat(' ', $level * 2) . '#' . $indent . $i . ': ' . (empty($comment['author']) ? ANONYMOUS : serendipity_specialchars($comment['author'])) js/2k11.min.js a("#serendipity_replyTo :selected").text() 5. Solution To mitigate this issue please upgrade at least to version 2.0.2: https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip Please note that a newer version might already be available. 5. Report Timeline 07/21/2015 Informed Vendor about Issue 07/24/2015 Vendor releases Version 2.0.2 09/01/2015 Disclosed to public 6. Blog Reference http://blog.curesec.com/article/blog/Serendipity-201-Persistent-XSS-51.html
