Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Backend Cross Site Scripting (XSS) in Serendipity (S9Y

from [Hanno BÃck] Network Security [Permanent Link]
Subject: [Full-disclosure] Backend Cross Site Scripting (XSS) in Serendipity (S9Y) 1.2.1, CVE-2008-0124
Date: Tue, 26 Feb 2008 15:11:40 +0100 
Source:
http://int21.de/cve/CVE-2008-0124-s9y.html

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0124
http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html
http://hboeck.de/archives/591-Cross-Site-Scripting-XSS-in-the-backend-and-in-the-installer.html
Description

Serendipity (S9Y) is a popular blogging system.
If used in a multiuser environment, one user can inject javascript code into 
certain fields in the backend to steal the cookies and hijack the accounts of 
other users.

Serendipity has the trustxss plugin to prevent XSS between users on multiuser 
setups, but that doesn't catch these issues.

In the ÂPersonal SettingsÂ-Dialogue, the ÂReal name field can be filled 
with 
javascript, which appears on newly written articles. The ÂUsername field can 
also contain javascript, but there's no attack vector, as this field is only 
shown to the user itself.

Beside, the media library accepts uploads from any file format, including htm, 
html and js, which obviously also leads to xss.
Workaround/Fix

If you have a multiuser-blog and don't trust all users, you need to install 
the trustxss plugin and should immediately upgrade to 1.3-beta1.
If you're using a single-user blog, you are not affected.
Disclosure Timeline

2008-02-01 Vendor contacted
2008-02-01 Vendor fixed svn
2007-02-25 Vendor released 1.3-beta1
CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2008-0124 to this issue. This is a candidate for inclusion in the CVE 
list (http://cve.mitre.org/), which standardizes names for security problems.
Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. 
It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-02-26, http://www.hboeck.de

-- 
Hanno BÃck             Blog:           http://www.hboeck.de/
GPG: 3DBD3B20           Jabber/Mail:    hanno@hboeck.de

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Backend Cross Site Scripting (XSS) in Serendipity (S9Y) 1.2.1, CVE-2008-0124, Hanno BÃck <=
Previous by Date:  [Full-disclosure] Move Networks Quantum Streaming Player UploadLogs() Buffer Overflow, Elazar Broad
Next by Date:  [Full-disclosure] clustering question, shadow floating
Previous by Thread:  [Full-disclosure] Move Networks Quantum Streaming Player UploadLogs() Buffer Overflow, Elazar Broad
Next by Thread:  [Full-disclosure] clustering question, shadow floating
Indexes:  [Date] [Thread] [Top] [All Lists]