Cross Site Scripting (XSS) in serendipity 1.3 referrer plugin, CVE-2008-1385

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1385
http://www.s9y.org/

Description

In the referrer plugin of the blog application serendipity, the referrer string is not escaped, thus leading to a permanent XSS.

Example

One can inject malicious javascript code with:

wget --referer='http://<hr onMouseOver="alert(7)">' http://someblog.com/

Workaround/Fix

If you are using the referrer plugin, upgrade to 1.3.1.

Disclosure Timeline

2008-03-18 Vendor contacted
2008-03-18 Vendor answered
2008-03-18 Vendor fixed issue in trunk/branch revision
2008-04-22 Vendor released 1.3.1
2008-04-22 Advisory published

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1385 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-04-xx, http://www.hboeck.de