v3nt3d is happy to accept these first two entries to "Tuesday" (A new and
innovative day brought to you by v3nt3d) - If you want a real chance to win
you may have to try to be more obnoxious (Releasing an XSS under creative
commons is a good start though). n3td3v, v3nt3d likes your entry, but knows
you can do much better...
On Tue, Apr 22, 2008 at 12:01 PM, n3td3v <xploitable@gmail.com> wrote:
On Tue, Apr 22, 2008 at 11:25 AM, Hanno Böck <hanno@hboeck.de> wrote:
Two smaller issues in s9y, published here:
http://int21.de/cve/CVE-2008-1386-s9y.html
http://int21.de/cve/CVE-2008-1387-s9y.html
Cross Site Scripting (XSS) in serendipity 1.3 referrer plugin,
CVE-2008-1385
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1385
http://www.s9y.org/
Description
In the referrer plugin of the blog application serendipity, the referrer
string is not escaped, thus leading to a permanent XSS.
Example
One can inject malicious javascript code with:
wget --referer='http://<hr onMouseOver="alert(7)">' http://someblog.com/
Workaround/Fix
If you are using the referrer plugin, upgrade to 1.3.1.
Disclosure Timeline
2008-03-18 Vendor contacted
2008-03-18 Vendor answered
2008-03-18 Vendor fixed issue in trunk/branch revision
2008-04-22 Vendor released 1.3.1
2008-04-22 Advisory published
CVE Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
CVE-2008-1385 to this issue. This is a candidate for inclusion in the
CVE
list (http://cve.mitre.org/), which standardizes names for security
problems.
Credits and copyright
This vulnerability was discovered by Hanno Boeck of
schokokeks.orgwebhosting.
It's licensed under the creative commons attribution license.
Hanno Boeck, 2008-04-xx, http://www.hboeck.de
Cross Site Scripting (XSS) in serendipity 1.3 installer, CVE-2008-1386
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1386
http://www.s9y.org/
Description
The installer of serendipity 1.3 has various Cross Site Scripting
issues. This
is considered low priority, as attack scenarios are very unlikely.
Various path fields are not escaped properly, thus filling them with
javascript code will lead to XSS. MySQL error messages are not escaped,
thus
the database host field can also be filled with javascript.
Workaround/Fix
If you are doing a fresh installation of serendipity, use version 1.3.1.
In general, don't leave uninstalled webapplications laying around on a
public
webspace.
Disclosure Timeline
2008-03-21 Vendor contacted with patches
2008-03-21 Vendor fixed issue in trunk/branch revision
2008-04-22 Vendor released 1.3.1
2008-04-22 Advisory published
CVE Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
CVE-2008-1386 to this issue. This is a candidate for inclusion in the
CVE
list (http://cve.mitre.org/), which standardizes names for security
problems.
Credits and copyright
This vulnerability was discovered by Hanno Boeck of
schokokeks.orgwebhosting.
It's licensed under the creative commons attribution license.
Hanno Boeck, 2008-04-xx, http://www.hboeck.de
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Web Application Security Awareness Day,
Its the only day in the year you don't get laughed at for releasing XSS.
Learn More
http://n3td3v.googlepages.com/home
http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061507.html
Regards,
n3td3v
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
