Info

Disclosure

Oct 21, 2004

Discovery

Unknown

Dates

Exploit

Oct 22, 2004

Solution

Unknown

Description

Serendipity contains a flaw that may allow a malicious user to perform HTTP response splitting on the index.php page. The issue is triggered when unexpected carriage return and/or line feed (CR/LF) characters are input into the HTTP referrer field. It is possible that the flaw may allow man-in-the-middle attacks and or cross-site-scripting attacks, resulting in a loss of confidentiality and/or integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Hijacking, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 0.7-rc1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

S9Y

Serendipity

0.7betax

References

Security Tracker: 1011864
Related OSVDB ID: 11013 11038 11039
Bugtraq ID: 11497
Secunia Advisory ID: 12909
ISS X-Force ID: 17798
CVE ID: 2004-1620 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-10/0219.html
http://marc.theaimsgroup.com/?l=bugtraq&m=109841283115808&w=2
Vendor Specific News/Changelog Entry: http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/comment.php?rev=1.49&a ......
http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/exit.php?rev=1.10& ......
http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/index.php?rev=1.52& ......
http://sourceforge.net/project/shownotes.php?release_id=276694
http://www.s9y.org/5.html
Vendor Specific Advisory URL: http://sourceforge.net/project/shownotes.php?release_id=276694
Vendor URL: http://www.s9y.org/

Credit

Chaotic Evil - chaoticevilspyring.com -

Direct URL: http://osvdb.org/36218