[Full-disclosure] Serendipity Freetag-plugin XSS vulnerability

From: Research <bugtraq_at_nospam>
Date: Fri Feb 08 2008 - 18:14:35 GMT
To: full-disclosure@lists.grok.org.uk

Advisory: Serendipity Freetag-plugin XSS vulnerability
Application: Serendipity Freetag-plugin =< 2.95
Category: Web application
Class: Cross Site Scripting (XSS)
Release date: 08. February 2008
Last updated: 08. February 2008
Remote: Yes
Local: No
CVE: Not yet assigned
Credits: Alexander Brachmann (research@bitsploit.de)
Author of advisory: Alexander Brachmann (research@bitsploit.de)
Severity: An XSS flaw was discovered in the optional Freetag-plugin for Serendipity (popular weblog application). E.g., this could lead to a hijacked Serendipity account.
Risk: High
Vendor/Project/Programmer(s): Garvin Hicking, Jonathan Arkell, Grischa Brockhaus
Solution status: The programmers have fixed this flaw in Freetag version 2.96.
References: [1] http://blog.s9y.org/archives/190-Freetag-plugin-updated-to-prevent-XSS.html [2] http://www.bitsploit.de/uploads/Code/200802080000/ [3] http://www.bitsploit.de/uploads/Bilder/200802101012/s9y-xss.jpg
Overview: Quote from www.s9y.org: "Serendipity is a PHP-powered weblog application which gives the user an easy way to maintain an online diary, weblog or even a complete homepage. While the default package is designed for the casual blogger, Serendipity offers a flexible, expandable and easy-to-use framework with the power for professional applications. Casual users appreciate the way Serendipity's sophisticated plugin architecture allows you to easily modify both the appearance of your blog and its features. You can install more than 120 plugins with just one click, instantly enhancing your blog's functionality."

While testing Serendipity an XSS flaw was discovered in the optional plugin for tagging entries called "Freetag". For example, this could lead to a hijacked Serendipity account.

Details: The Freetag-plugin displays the tag name, specified in a URL, back to the user. Due to a defective sanitization of the user's input, it is possible to inject arbitrary code which will be reflected on the website.
Proof of Concept (PoC): URL: http://www.example.com/plugin/tag/%3Cdiv%20style=width:expression(alert(document.cookie));%3E Hint: PoC does currently work in Microsoft Internet Explorer 6, Microsoft Internet Explorer 7 and Netscape Navigator 8.1+ (in Internet Explorer rendering mode) only.
Solution: We strongly recommend you to upgrade to Freetag version 2.96 which fixes this flaw. URL: http://spartacus.s9y.org/cvs/additional_plugins/serendipity_event_freetag.zip
Disclosure timeline: 05. February 2008 - Flaw was discovered and re-checked. 06. February 2008 - Programmers have been notified. (Due to responsible disclosure.) 06. February 2008 - Fix was committed. 07. February 2008 - Freetag 2.96 released to the public. 08. February 2008 - Public disclosure.
GPG: E-Mail: research@bitsploit.de Public key: http://www.bitsploit.de/gpg/domains/public_key.asc Key ID: 0x75093340 Key Fingerprint: D542 669B 02F8 7874 F75A A44C AA0B 41FC 7509 3340
Copyright: Creative Commons - by - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: reepex: "Re: [Full-disclosure] ASUS Eee PC rooted out of the box"
Previous message: RISE Security: "[Full-disclosure] ASUS Eee PC rooted out of the box"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]