<div>v3nt3d is happy to accept these first two entries to "Tuesday" (A new and innovative day brought to you by v3nt3d) - If you want a real chance to win you may have to try to be more obnoxious (Releasing an XSS under creative commons is a good start though). n3td3v, v3nt3d likes your entry, but knows you can do much better...</div>
<div><br> </div>
<div class="gmail_quote">On Tue, Apr 22, 2008 at 12:01 PM, n3td3v <<a href="mailto:xploitable@gmail.com">xploitable@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div></div>
<div class="Wj3C7c">On Tue, Apr 22, 2008 at 11:25 AM, Hanno Böck <<a href="mailto:hanno@hboeck.de">hanno@hboeck.de</a>> wrote:<br>> Two smaller issues in s9y, published here:<br>> <a href="http://int21.de/cve/CVE-2008-1386-s9y.html" target="_blank">http://int21.de/cve/CVE-2008-1386-s9y.html</a><br>
> <a href="http://int21.de/cve/CVE-2008-1387-s9y.html" target="_blank">http://int21.de/cve/CVE-2008-1387-s9y.html</a><br>><br>><br>> Cross Site Scripting (XSS) in serendipity 1.3 referrer plugin, CVE-2008-1385<br>
> References<br>><br>> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1385" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1385</a><br>> <a href="http://www.s9y.org/" target="_blank">http://www.s9y.org/</a><br>
> Description<br>><br>> In the referrer plugin of the blog application serendipity, the referrer<br>> string is not escaped, thus leading to a permanent XSS.<br>> Example<br>><br>> One can inject malicious javascript code with:<br>
><br>> wget --referer='http://<hr onMouseOver="alert(7)">' <a href="http://someblog.com/" target="_blank">http://someblog.com/</a><br>><br>> Workaround/Fix<br>><br>> If you are using the referrer plugin, upgrade to <a href="http://1.3.1./" target="_blank">1.3.1.</a><br>
> Disclosure Timeline<br>><br>> 2008-03-18 Vendor contacted<br>> 2008-03-18 Vendor answered<br>> 2008-03-18 Vendor fixed issue in trunk/branch revision<br>> 2008-04-22 Vendor released 1.3.1<br>> 2008-04-22 Advisory published<br>
> CVE Information<br>><br>> The Common Vulnerabilities and Exposures (CVE) project has assigned the name<br>> CVE-2008-1385 to this issue. This is a candidate for inclusion in the CVE<br>> list (<a href="http://cve.mitre.org/" target="_blank">http://cve.mitre.org/</a>), which standardizes names for security problems.<br>
> Credits and copyright<br>><br>> This vulnerability was discovered by Hanno Boeck of <a href="http://schokokeks.org/" target="_blank">schokokeks.org</a> webhosting.<br>> It's licensed under the creative commons attribution license.<br>
><br>> Hanno Boeck, 2008-04-xx, <a href="http://www.hboeck.de/" target="_blank">http://www.hboeck.de</a><br>><br>><br>><br>><br>> Cross Site Scripting (XSS) in serendipity 1.3 installer, CVE-2008-1386<br>
> References<br>><br>> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1386" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1386</a><br>> <a href="http://www.s9y.org/" target="_blank">http://www.s9y.org/</a><br>
> Description<br>><br>> The installer of serendipity 1.3 has various Cross Site Scripting issues. This<br>> is considered low priority, as attack scenarios are very unlikely.<br>><br>> Various path fields are not escaped properly, thus filling them with<br>
> javascript code will lead to XSS. MySQL error messages are not escaped, thus<br>> the database host field can also be filled with javascript.<br>> Workaround/Fix<br>><br>> If you are doing a fresh installation of serendipity, use version <a href="http://1.3.1./" target="_blank">1.3.1.</a><br>
><br>> In general, don't leave uninstalled webapplications laying around on a public<br>> webspace.<br>> Disclosure Timeline<br>><br>> 2008-03-21 Vendor contacted with patches<br>> 2008-03-21 Vendor fixed issue in trunk/branch revision<br>
> 2008-04-22 Vendor released 1.3.1<br>> 2008-04-22 Advisory published<br>> CVE Information<br>><br>> The Common Vulnerabilities and Exposures (CVE) project has assigned the name<br>> CVE-2008-1386 to this issue. This is a candidate for inclusion in the CVE<br>
> list (<a href="http://cve.mitre.org/" target="_blank">http://cve.mitre.org/</a>), which standardizes names for security problems.<br>> Credits and copyright<br>><br>> This vulnerability was discovered by Hanno Boeck of <a href="http://schokokeks.org/" target="_blank">schokokeks.org</a> webhosting.<br>
> It's licensed under the creative commons attribution license.<br>><br>> Hanno Boeck, 2008-04-xx, <a href="http://www.hboeck.de/" target="_blank">http://www.hboeck.de</a><br>><br>> --<br>> Hanno Böck Blog: <a href="http://www.hboeck.de/" target="_blank">http://www.hboeck.de/</a><br>
> GPG: 3DBD3B20 Jabber/Mail: <a href="mailto:hanno@hboeck.de">hanno@hboeck.de</a><br>><br></div></div>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>
> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
><br><br>Web Application Security Awareness Day,<br>Its the only day in the year you don't get laughed at for releasing XSS.<br><br>Learn More<br><a href="http://n3td3v.googlepages.com/home" target="_blank">http://n3td3v.googlepages.com/home</a><br>
<a href="http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061507.html" target="_blank">http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061507.html</a><br><br>Regards,<br><br>n3td3v<br><br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</blockquote></div><br>