[FD] Serendipity 2.0.1 - Code Execution

Serendipity 2.0.1: Code Execution Security Advisory – Curesec Research Team 1. Introduction Affected Product: Serendipity 2.0.1 Fixed in: 2.0.2 Fixed Version Link: http://ift.tt/1JOaWIW Vendor Contact: serendipity@supergarv.de Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 07/21/2015 Disclosed to public: 09/01/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description Serendipity 2.0.1 does not allow the upload of .php, .php4, .php5, .phtml files, or files starting with a dot - eg .htaccess files. However, files with extension .pht can be uploaded by registered users, and will be executed by most default Apache configurations. The file upload is located here: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect User registration either requires an admin to create the user, or the plugin serendipity_plugin_adduser being activated. The default setting for this plugin does not require an admin to accept the registration of that user. 3. Proof of Concept #!/usr/local/bin/php