Serendipity 2.0.1: Persistent XSS
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: 	Serendipity 2.0.1	
Fixed in: 		2.0.2
Fixed Version Link:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Vendor Contact: 	serendipity@supergarv.de	
Vulnerability Type: 	Persistent XSS	
Remote Exploitable: 	Yes	
Reported to vendor: 	07/21/2015	
Disclosed to public: 	09/01/2015	
Release mode: 		Coordinated release	
CVE: 			n/a	
Credits 		Tim Coen of Curesec GmbH	

2. Vulnerability Description

There is a persistent XSS vulnerability in Serendipity 2.0.1 when using
the default 2k11 theme. It requires a click of the victim to trigger.

The problem exists because the theme reads out the name field of a
comment using the jQuery .text() function, which decodes the previously
properly encoded name. It then inserts the result back into the DOM.

3. Proof of Concept

    Add comment with name <img src="no" onerror="alert(1)">
    Click "reply" on that comment

The admin may be tricked into clicking on reply by leaving a question as
comment or via ClickJacking.

4. Code


 	    include/functions_comments.inc.php:180
		    function serendipity_displayCommentForm
		    [...]
			    'commentform_replyTo'        =>
serendipity_generateCommentList($id, $comments,
((isset($data['replyTo']) && ($data['replyTo'])) ? $data['replyTo'] : 0)),

	    include/functions_comments.inc.php:306
		    function serendipity_generateCommentList(
		    [...]
		    $retval .= '<option value="' . $comment['id'] . '"'. ($selected ==
$comment['id'] || (isset($serendipity['POST']['replyTo']) &&
$comment['id'] == $serendipity['POST']['replyTo']) ? '
selected="selected"' : '') .'>' . str_repeat(' ', $level * 2) . '#' .
$indent . $i . ': ' . (empty($comment['author']) ? ANONYMOUS :
serendipity_specialchars($comment['author']))

        js/2k11.min.js
            a("#serendipity_replyTo :selected").text()

5. Solution

To mitigate this issue please upgrade at least to version 2.0.2:

https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Please note that a newer version might already be available.

5. Report Timeline

07/21/2015 	Informed Vendor about Issue
07/24/2015 	Vendor releases Version 2.0.2
09/01/2015 	Disclosed to public

6. Blog Reference
http://blog.curesec.com/article/blog/Serendipity-201-Persistent-XSS-51.html