Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Serendipity 2.0.1 - Persistent XSS

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Tue, 1 Sep 2015 13:42:50 +0200
Serendipity 2.0.1: Persistent XSS
Security Advisory – Curesec Research Team

1. Introduction

Affected Product:       Serendipity 2.0.1       
Fixed in:               2.0.2
Fixed Version Link:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Vendor Contact:         serendipity () supergarv de     
Vulnerability Type:     Persistent XSS  
Remote Exploitable:     Yes     
Reported to vendor:     07/21/2015      
Disclosed to public:    09/01/2015      
Release mode:           Coordinated release     
CVE:                    n/a     
Credits                 Tim Coen of Curesec GmbH        

2. Vulnerability Description

There is a persistent XSS vulnerability in Serendipity 2.0.1 when using
the default 2k11 theme. It requires a click of the victim to trigger.

The problem exists because the theme reads out the name field of a
comment using the jQuery .text() function, which decodes the previously
properly encoded name. It then inserts the result back into the DOM.

3. Proof of Concept

    Add comment with name <img src="no" onerror="alert(1)">
    Click "reply" on that comment

The admin may be tricked into clicking on reply by leaving a question as
comment or via ClickJacking.

4. Code


            include/functions_comments.inc.php:180
                    function serendipity_displayCommentForm
                    [...]
                            'commentform_replyTo'        =>
serendipity_generateCommentList($id, $comments,
((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)),

            include/functions_comments.inc.php:306
                    function serendipity_generateCommentList(
                    [...]
                    $retval .= '<option value="' . $comment['id'] . '"'. ($selected ==
$comment['id'] || (isset($serendipity['POST']['replyTo']) &&
$comment['id'] == $serendipity['POST']['replyTo']) ? '
selected="selected"' : '') .'>' . str_repeat(' ', $level * 2) . '#' .
$indent . $i . ': ' . (empty($comment['author']) ? ANONYMOUS :
serendipity_specialchars($comment['author']))

        js/2k11.min.js
            a("#serendipity_replyTo :selected").text()

5. Solution

To mitigate this issue please upgrade at least to version 2.0.2:

https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Please note that a newer version might already be available.

5. Report Timeline

07/21/2015      Informed Vendor about Issue
07/24/2015      Vendor releases Version 2.0.2
09/01/2015      Disclosed to public

6. Blog Reference
http://blog.curesec.com/article/blog/Serendipity-201-Persistent-XSS-51.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: