Serendipity freetag plugin 'serendipity[tagview]' Cross-Site Scripting vulnerability



Advisory: Serendipity freetag plugin 'serendipity[tagview]' Cross-Site Scripting vulnerability
Advisory ID: SSCHADV2011-016
Author: Stefan Schurtz
Affected Software: Successfully tested on Serendipity 1.5.5
Vendor URL: http://www.s9y.org
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The freetag plugin parameter "serendipity[tagview]" in Serendipity backend is prone to a Cross-Site Scripting vulnerability

==================
Technical Details:
==================

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=managetags&serendipity[tagview]=<script>alert(document.cookie)</script>

=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================

22-Sep-2011 - informed developers
23-Sep-2011 - fixed in the latest version
25-Sep-2011 - release date of this security advisory
25-Sep-2011 - post on BugTraq

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://www.s9y.org
http://www.rul3z.de/advisories/SSCHADV2011-016.txt



Relevant Pages

  • [NT] ActiveSync Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By "pretending" to be an iPAQ and connecting to TCP port 5679, ... sending a corrupted "I would like to sync with you" packet, ... Sample code to demonstrate the vulnerability is shown below: ...
    (Securiteam)
  • [Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Full-Disclosure)
  • Re: MS09-032 Installation
    ... Security Advisory 953839, Microsoft Security Advisory 956391, Microsoft ... Vulnerability - CVE-2008-0015, as does the FixIt some had used before ... be a mistake to "undo" the workaround, ... What would happen if I install this update and then undo the ...
    (microsoft.public.security)
  • Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-200812
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Bugtraq)
  • WSPortal version 1.0 Path Disclosure Vulnerability
    ... WSPortal version 1.0 Path Disclosure Vulnerability ... WSPortal is a site management system coded in PHP/MySQL. ... There is no official fix at the release of this Security Advisory. ...
    (Bugtraq)