Search

About me

Johannes (Hanno) Böck
mail: hanno@hboeck.de
jabber: hanno@hboeck.de
gpg: BBB51E42
ssh: RSA, ECDSA


Hanno on Twitter
Hanno on identi.ca

Impressum

schokokeks.org



Atheist

Twitter/identi.ca

hanno: Ouch... list of "predatory" science journals gets requests from people who want to be "added to the list" http://t.co/X3aOID2DI1

hanno: @vieuxrenard @annalist @GescheJoost Hä? Das ergibt keinen Sinn. "Vorratsdatenspeicherung nur für schwere Straftaten" geht ja schlecht

hanno: Man sollte mal vorm BGH das Internet als ganzes verklagen - ich bin sicher die aussichten auf ein Verbot sind nicht schlecht

hanno: @ivanristic @Kryptoblog is he really proposing using mac-then-encrypt? Isn't that the reason we got BEAST etc.? I commented on it.

hanno: Nintendo baut versehentlich Homoehe in Spiel ein http://t.co/6ShFeOp3ib

Anzeigen

Events

22.05 - 25.05 - Linuxtag (3 Days)
30.05 - 02.06 - GPN13 (11 Days)
04.07 - 07.07 - PQCrypto (46 Days)
05.07 - 07.07 - SIGINT (47 Days)
31.07 - 04.08 - OHM13 (73 Days)
01.10 - 02.10 - Open Access Tage (135 Days)
My pages
Picture gallery

Archives

Categories



All categories

Feeds

Tags

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

Some XSS issues in Serendipity found

Monday, December 10. 2007, 14:48
I recently stepped upon some XSS issues in Serendipity.

The first is in the remoterss-plugin, which can be used to display the content of an RSS feed in the sidebar of a blog. It didn't escape links, so JavaScript-Code could be injected by malicious RSS feeds. This plugin is shipped with the base version of S9Y. They've released 1.2.1 this weekend which has the fix.
If you're using the remoterss plugin, you should upgrade to 1.2.1 as soon as possible. This issue is named CVE-2007-6205.

The other one is in the external mycalendar-plugin. It also allows unescaped content inside links. This wouldn't be a real issue, as this form should only be accessible by the blog administrator. But the form had no CSRF (Cross-Site-Request-Forgery) protection, so an attacker could trigger this form and thus inject javascript on the blog-page. This has been fixed within version 0.13 of the plugin, so if you're using it, please upgrade. CVE-2007-6390 now assigned.

Beside I'd like to note that I got fast replies to my reports and the s9y devs fixed them quite quickly. Thanks for that!
Code, Security | Comments (5) | Trackbacks (0)
Defined tags for this entry: , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Schöne Sache @ RemoteRSS.
Allerdings solltest du noch deine freewvs-Datenbank bzgl. dessen updaten, da es momentan noch nicht über die alte Version meckert.
#1 Alex (Link) on 2007-12-10 19:35
Can freewvs detect if somebody uses the remoterss-plugin ? Or will you start to bug me because I did not update even though I do not use this plugin ? ;-)
#2 Matz on 2007-12-10 20:28
It'll bug you.
But in this case, I would prefer that behaviour.
#3 Alex (Link) on 2007-12-10 20:42
It will bug you and I don't see much I can change to that. That's a conceptual problem of freewvs.

freewvs always checks for any vulnerability, although in many cases it'll cry about vulnerabilities that don't really affect the installation. This is not only for plugins, but also for stuff like »only affects if register_globals is set", "only a risk in combination with outdated php version" or many other cases. Especially in this case, the only way to see if this plugin is used would be to look into the database - and that's most probably not a good idea.

Anyway, s9y update process is pretty straight and usually doesn't cause much pain.
#4 Hanno (Link) on 2007-12-10 23:29
http://www.heise.de/security/news/meldung/100376
;)
#5 Alex (Link) on 2008-01-02 19:56

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.