Serendipity 2.0.1: Persistent XSS

Serendipity 2.0.1: Persistent XSS

Date: 2015-09-01 10:42:40
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Serendipity 2.0.1
Fixed in: 2.0.2
Fixed Version Link: https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip
Vendor Contact: serendipity@supergarv.de
Vulnerability Type: Persistent XSS
Remote Exploitable: Yes
Reported to vendor: 07/21/2015
Disclosed to public: 09/01/2015
Release mode: Coordinated release
CVE: CVE-2015-6969
Credits Tim Coen of curesec GmbH

2. Vulnerability Description

There is a persistent XSS vulnerability in Serendipity 2.0.1 when using the default 2k11 theme. It requires a click of the victim to trigger.

The problem exists because the theme reads out the name field of a comment using the jQuery .text() function, which decodes the previously properly encoded name. It then inserts the result back into the DOM.

3. Proof of Concept

  1. Add comment with name <img src="no" onerror="alert(1)">
  2. Click "reply" on that comment
The admin may be tricked into clicking on reply by leaving a question as comment or via ClickJacking.

4. Code

include/functions_comments.inc.php:180 function serendipity_displayCommentForm [...] 'commentform_replyTo' => serendipity_generateCommentList($id, $comments, ((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)), include/functions_comments.inc.php:306 function serendipity_generateCommentList( [...] $retval .= '<option value="' . $comment['id'] . '"'. ($selected == $comment['id'] || (isset($serendipity['POST']['replyTo']) && $comment['id'] == $serendipity['POST']['replyTo']) ? ' selected="selected"' : '') .'>' . str_repeat(' ', $level * 2) . '#' . $indent . $i . ': ' . (empty($comment['author']) ? ANONYMOUS : serendipity_specialchars($comment['author'])) js/2k11.min.js a("#serendipity_replyTo :selected").text()

5. Solution

To mitigate this issue please upgrade at least to version 2.0.2:

https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Please note that a newer version might already be available.

5. Report Timeline

07/21/2015 Informed Vendor about Issue
07/24/2015 Vendor releases Version 2.0.2
09/01/2015 Disclosed to public