Serendipity 2.0.1: Persistent XSS
Security Advisory – Curesec Research Team

1. Introduction

Affected Product:   Serendipity 2.0.1  
Fixed in:     2.0.2
Fixed Version Link:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Vendor Contact:   serendipity@supergarv.de  
Vulnerability Type:   Persistent XSS  
Remote Exploitable:   Yes  
Reported to vendor:   07/21/2015  
Disclosed to public:   09/01/2015  
Release mode:     Coordinated release  
CVE:       n/a  
Credits     Tim Coen of Curesec GmbH  

2. Vulnerability Description

There is a persistent XSS vulnerability in Serendipity 2.0.1 when using
the default 2k11 theme. It requires a click of the victim to trigger.

The problem exists because the theme reads out the name field of a
comment using the jQuery .text() function, which decodes the previously
properly encoded name. It then inserts the result back into the DOM.

3. Proof of Concept

    Add comment with name <img src="no" onerror="alert(1)">
    Click "reply" on that comment

The admin may be tricked into clicking on reply by leaving a question as
comment or via ClickJacking.

4. Code


       include/functions_comments.inc.php:180
        function serendipity_displayCommentForm
        [...]
          'commentform_replyTo'        =>
serendipity_generateCommentList($id, $comments,
((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)),

      include/functions_comments.inc.php:306
        function serendipity_generateCommentList(
        [...]
        $retval .= '<option value="' . $comment['id'] . '"'. ($selected ==
$comment['id'] || (isset($serendipity['POST']['replyTo']) &&
$comment['id'] == $serendipity['POST']['replyTo']) ? '
selected="selected"' : '') .'>' . str_repeat(' ', $level * 2) . '#' .
$indent . $i . ': ' . (empty($comment['author']) ? ANONYMOUS :
serendipity_specialchars($comment['author']))

        js/2k11.min.js
            a("#serendipity_replyTo :selected").text()

5. Solution

To mitigate this issue please upgrade at least to version 2.0.2:

https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Please note that a newer version might already be available.

5. Report Timeline

07/21/2015   Informed Vendor about Issue
07/24/2015   Vendor releases Version 2.0.2
09/01/2015   Disclosed to public

6. Blog Reference
http://blog.curesec.com/article/blog/Serendipity-201-Persistent-XSS-51.html