Serendipity管理页面多个跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193075 漏洞类型 跨站脚本
发布时间 2006-10-25 更新时间 2006-10-26
CVE编号 CVE-2006-5499 CNNVD-ID CNNVD-200610-416
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2006100133
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-416
|漏洞详情
Serendipity(s9y)1.0.1和更早版本中存在多个跨站脚本攻击漏泄,远程攻击者可以通过媒体管理器管理页面的未明向量注入任意Web脚本或HTML。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hardened-PHP Project
                        www.hardened-php.net

-= Security  Advisory =-

Advisory: Serendipity Weblog XSS Vulnerabilities
 Release Date: 2006/10/19
Last Modified: 2006/10/19
       Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]]

Application: Serendipity <= 1.0.1
     Severity: Multiple XSS vulnerabilities within the administration
               interface allow Cross Site Scripting attacks against
	       the blog admin
         Risk: Critical
Vendor Status: Vendor has a released an updated version
   References: http://www.hardened-php.net/advisory_112006.136.html

Overview:

Quote from http://www.s9y.org
   "Serendipity is a PHP-powered weblog application which gives the 
    user an easy way to maintain an online diary, weblog or even a 
    complete homepage. While the default package is designed for 
    the casual blogger, Serendipity offers a flexible, expandable 
    and easy-to-use framework with the power for professional 
    applications."

During an quick audit of Serendipity it was discovered that 
   multiple XSS vulnerabilities exist in the administration area.
   Because of this vulnerabilities it is possible for an attacker
   that tricks an admin into visiting a special prepared website
   to perform any administrative action in the blog. This includes
   posting entries or adding additional admin users.
   
   Tricking a blog admin to visit a certain website is usually as
   simple as mentioning an URL in the comments of his blog.

Details:

Serendipity failed to correctly sanitize user input on the 
   media manager administration page. The content of GET variables
   were written into JavaScript strings. By using standard string 
   evasion techniques it was possible to execute arbitrary 
   JavaScript.
   
   Additionally Serendipity dynamically created a HTML form on
   the media manager administration page that contained all
   variables found in the URL as hidden fields. While the variable
   values were correctly escaped it was possible to break out
   by specifying strange variable names.

Proof of Concept:

The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.

Disclosure Timeline:

05. October 2006 - Contacted Serendipity developers by email
   18. October 2006 - Updated Serendipity was released
   19. October 2006 - Public Disclosure

Recommendation:

It is strongly recommended to upgrade to the newest version of
   Serendipity 1.0.2 which you can download at:

http://prdownloads.sourceforge.net/php-blog/serendipity-1.0.2.tar.gz?dow
nload

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFN6xcRDkUzAqGSqERAjoGAJ9coU5lI5WOMrFCsGylRpOtwX0ifACg3TZ0
074k4shsfTsLA6aXBQc72uY=
=Ognk
-----END PGP SIGNATURE-----
|参考资料

来源:SECUNIA
名称:22501
链接:http://secunia.com/advisories/22501
来源:BID
名称:20627
链接:http://www.securityfocus.com/bid/20627
来源:BUGTRAQ
名称:20061019Advisory11/2006:SerendipityWeblogXSSVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/449189/100/0/threaded
来源:www.s9y.org
链接:http://www.s9y.org/forums/viewtopic.php?t=7356
来源:MISC
链接:http://www.hardened-php.net/advisory_112006.136.html
来源:VUPEN
名称:ADV-2006-4135
链接:http://www.frsirt.com/english/advisories/2006/4135
来源:SECTRACK
名称:1017100
链接:http://securitytracker.com/id?1017100
来源:XF
名称:serendipity-admin-xss(29695)
链接:http://xforce.iss.net/xforce/xfdb/29695
来源:OSVDB
名称:29893
链接:http://www.osvdb.org/29893
来源:SREASON
名称:1771
链接:http://securityreason.com/securityalert/1771
来源:FULLDISC
名称:20061019Advisory11/2006:SerendipityWeblogXSSVulnerabilities
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0395.html