[FD] Serendipity 2.0.1 - Persistent XSS

Serendipity 2.0.1: Persistent XSS Security Advisory – Curesec Research Team 1. Introduction Affected Product: Serendipity 2.0.1 Fixed in: 2.0.2 Fixed Version Link: http://ift.tt/1JOaWIW Vendor Contact: serendipity@supergarv.de Vulnerability Type: Persistent XSS Remote Exploitable: Yes Reported to vendor: 07/21/2015 Disclosed to public: 09/01/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is a persistent XSS vulnerability in Serendipity 2.0.1 when using the default 2k11 theme. It requires a click of the victim to trigger. The problem exists because the theme reads out the name field of a comment using the jQuery .text() function, which decodes the previously properly encoded name. It then inserts the result back into the DOM. 3. Proof of Concept Add comment with name Click "reply" on that comment The admin may be tricked into clicking on reply by leaving a question as comment or via ClickJacking. 4. Code include/functions_comments.inc.php:180 function serendipity_displayCommentForm [...] 'commentform_replyTo' => serendipity_generateCommentList($id, $comments, ((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)), include/functions_comments.inc.php:306 function serendipity_generateCommentList( [...] $retval .= '' . str_repeat(' ', $level * 2) . '#' . $indent . $i . ': ' . (empty($comment['author']) ? ANONYMOUS : serendipity_specialchars($comment['author'])) js/2k11.min.js a("#serendipity_replyTo :selected").text() 5. Solution To mitigate this issue please upgrade at least to version 2.0.2: http://ift.tt/1JOaWIW Please note that a newer version might already be available. 5. Report Timeline 07/21/2015 Informed Vendor about Issue 07/24/2015 Vendor releases Version 2.0.2 09/01/2015 Disclosed to public 6. Blog Reference http://ift.tt/1IMn5cd

Source: Gmail -> IFTTT-> Blogger