Serendipity < 2.1.1 Multiple Vulnerabilities

critical Nessus Plugin ID 100789

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

According to its banner, the version of Serendipity running on the remote host is prior to 2.1.1. It is, therefore, affected by multiple vulnerabilities :

- A stored cross-site scripting (XSS) vulnerability exists in the templates/2k11/admin/category.inc.tpl script due to improper validation of the category and directory names before returning the input to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-9681)

- A local file inclusion flaw exists in the include/functions_installer.inc.php script due to improper sanitization of user supplied-input to the 'dbType' POST parameter. An unauthenticated, remote attacker can exploit this, via a specially crafted request that uses absolute paths, to include files on the targeted host, resulting in the disclosure of file contents or the possible execution of files as PHP scripts. (CVE-2016-10082)

- A cross-site redirection vulnerability exists in the comment.php script due to improper validation of the HTTP referer header. An unauthenticated, remote attacker can exploit this, via a specially crafted link, to redirect an unsuspecting user from a legitimate website to a website of the attacker's choosing, which could then be used to conduct further attacks.
(CVE-2017-5474)

- A cross-site request forgery (XSRF) vulnerability exists in comment.php due to not requiring multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to cause the deletion of arbitrary comments. (CVE-2017-5475)

- A cross-site request forgery (XSRF) vulnerability exists in unspecified scripts due to not requiring multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to cause the installation of event or sidebar plugins.
(CVE-2017-5476)

Solution

Upgrade to Serendipity version 2.1.1 or later.

See Also

https://github.com/s9y/Serendipity/issues/433

https://github.com/s9y/Serendipity/issues/439

http://www.nessus.org/u?98bd3703

http://www.nessus.org/u?93a3f574

https://blog.s9y.org/archives/274-Serendipity-2.1.1-released.html

Plugin Details

Severity: Critical

ID: 100789

File Name: serendipity_211.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 6/14/2017

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:s9y:serendipity

Required KB Items: www/serendipity

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 4/9/2017

Vulnerability Publication Date: 11/28/2016

Reference Information

CVE: CVE-2016-10082, CVE-2016-9681, CVE-2017-5474, CVE-2017-5475, CVE-2017-5476

BID: 95095, 95165, 95652, 95656, 95659