Some XSS issues in Serendipity found

Hanno's Blog

Monday, December 10. 2007

Some XSS issues in Serendipity found

I recently stepped upon some XSS issues in Serendipity.

The first is in the remoterss-plugin, which can be used to display the content of an RSS feed in the sidebar of a blog. It didn't escape links, so JavaScript-Code could be injected by malicious RSS feeds. This plugin is shipped with the base version of S9Y. They've released 1.2.1 this weekend which has the fix.
If you're using the remoterss plugin, you should upgrade to 1.2.1 as soon as possible. This issue is named CVE-2007-6205.

The other one is in the external mycalendar-plugin. It also allows unescaped content inside links. This wouldn't be a real issue, as this form should only be accessible by the blog administrator. But the form had no CSRF (Cross-Site-Request-Forgery) protection, so an attacker could trigger this form and thus inject javascript on the blog-page. This has been fixed within version 0.13 of the plugin, so if you're using it, please upgrade. CVE-2007-6390 now assigned.

Beside I'd like to note that I got fast replies to my reports and the s9y devs fixed them quite quickly. Thanks for that!
Posted by Hanno Böck in Code, Security at 14:48 | Comments (5) | Trackbacks (0)
Defined tags for this entry: , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Schöne Sache @ RemoteRSS.
Allerdings solltest du noch deine freewvs-Datenbank bzgl. dessen updaten, da es momentan noch nicht über die alte Version meckert.
#1 Alex (Homepage) on 2007-12-10 19:35 (Reply)
Can freewvs detect if somebody uses the remoterss-plugin ? Or will you start to bug me because I did not update even though I do not use this plugin ? ;-)
#2 Matz on 2007-12-10 20:28 (Reply)
It'll bug you.
But in this case, I would prefer that behaviour.
#2.1 Alex (Homepage) on 2007-12-10 20:42 (Reply)
It will bug you and I don't see much I can change to that. That's a conceptual problem of freewvs.

freewvs always checks for any vulnerability, although in many cases it'll cry about vulnerabilities that don't really affect the installation. This is not only for plugins, but also for stuff like »only affects if register_globals is set", "only a risk in combination with outdated php version" or many other cases. Especially in this case, the only way to see if this plugin is used would be to look into the database - and that's most probably not a good idea.

Anyway, s9y update process is pretty straight and usually doesn't cause much pain.
#2.2 Hanno (Homepage) on 2007-12-10 23:29 (Reply)
http://www.heise.de/security/news/meldung/100376
;)
#3 Alex (Homepage) on 2008-01-02 19:56 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

About

This blog is written by Hanno Böck. Unless noted otherwise, its content is licensed as CC0.

You can find my web page with links to my work as a journalist here.

I am also publishing a newsletter about climate change and decarbonization technologies.

The blog uses the free software Serendipity and is hosted at schokokeks.org.

Hanno on Mastodon | Contact / Imprint | Privacy / Datenschutz