Some XSS issues in Serendipity found

Monday, December 10. 2007

Some XSS issues in Serendipity found

I recently stepped upon some XSS issues in Serendipity.

The first is in the remoterss-plugin, which can be used to display the content of an RSS feed in the sidebar of a blog. It didn't escape links, so JavaScript-Code could be injected by malicious RSS feeds. This plugin is shipped with the base version of S9Y. They've released 1.2.1 this weekend which has the fix.
If you're using the remoterss plugin, you should upgrade to 1.2.1 as soon as possible. This issue is named CVE-2007-6205.

The other one is in the external mycalendar-plugin. It also allows unescaped content inside links. This wouldn't be a real issue, as this form should only be accessible by the blog administrator. But the form had no CSRF (Cross-Site-Request-Forgery) protection, so an attacker could trigger this form and thus inject javascript on the blog-page. This has been fixed within version 0.13 of the plugin, so if you're using it, please upgrade. CVE-2007-6390 now assigned.

Beside I'd like to note that I got fast replies to my reports and the s9y devs fixed them quite quickly. Thanks for that!
Posted by Hanno Böck in Code, Security at 14:48 | Comments (5) | Trackbacks (0)
Defined tags for this entry: , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Schöne Sache @ RemoteRSS.
Allerdings solltest du noch deine freewvs-Datenbank bzgl. dessen updaten, da es momentan noch nicht über die alte Version meckert.
#1 Alex (Homepage) on 2007-12-10 19:35 (Reply)
Can freewvs detect if somebody uses the remoterss-plugin ? Or will you start to bug me because I did not update even though I do not use this plugin ? ;-)
#2 Matz on 2007-12-10 20:28 (Reply)
It'll bug you.
But in this case, I would prefer that behaviour.
#2.1 Alex (Homepage) on 2007-12-10 20:42 (Reply)
It will bug you and I don't see much I can change to that. That's a conceptual problem of freewvs.

freewvs always checks for any vulnerability, although in many cases it'll cry about vulnerabilities that don't really affect the installation. This is not only for plugins, but also for stuff like »only affects if register_globals is set", "only a risk in combination with outdated php version" or many other cases. Especially in this case, the only way to see if this plugin is used would be to look into the database - and that's most probably not a good idea.

Anyway, s9y update process is pretty straight and usually doesn't cause much pain.
#2.2 Hanno (Homepage) on 2007-12-10 23:29 (Reply)
http://www.heise.de/security/news/meldung/100376
;)
#3 Alex (Homepage) on 2008-01-02 19:56 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

About me

You can find my web page with links to my work as a journalist at https://hboeck.de/.

You may also find my newsletter about climate change and decarbonization technologies interesting.

Hanno Böck
mail: hanno@hboeck.de

Hanno on Mastodon

Impressum

schokokeks.org

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

Show tagged entries

Frontpage
Datenschutz / Privacy