Vulnerabilities > CVE-2004-1620 - Unspecified vulnerability in S9Y Serendipity

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
s9y
nessus
exploit available
NVD
Published: 2004-10-21
Updated: 2017-07-11

Summary

CRLF injection vulnerability in Serendipity before 0.7rc1 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the url parameter in (1) index.php and (2) exit.php, or (3) the HTTP Referer field in comment.php.

Vulnerable Configurations

Part Description Count
Application
S9Y
14

Exploit-Db

descriptionSerendipity 0.x Exit.PHP HTTP Response Splitting Vulnerability. CVE-2004-1620. Webapps exploit for php platform
idEDB-ID:24697
last seen2016-02-02
modified2004-10-21
published2004-10-21
reporterChaoticEvil
sourcehttps://www.exploit-db.com/download/24697/
titleSerendipity 0.x Exit.PHP HTTP Response Splitting Vulnerability

Nessus

NASL familyCGI abuses
NASL idSERENDIPITY_HTTP_SPLITTING.NASL
descriptionThe remote version of Serendipity is affected by an HTTP response- splitting vulnerability that may allow an attacker to perform a cross- site scripting attack against the remote host.
last seen2020-06-01
modified2020-06-02
plugin id15543
published2004-10-21
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15543
titleSerendipity Multiple Script HTTP Response Splitting
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(15543);
 script_version ("1.20");

 script_cve_id("CVE-2004-1620");
 script_bugtraq_id(11497);

 script_name(english:"Serendipity Multiple Script HTTP Response Splitting");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
cross-site scripting flaw." );
 script_set_attribute(attribute:"description", value:
"The remote version of Serendipity is affected by an HTTP response-
splitting vulnerability that may allow an attacker to perform a cross-
site scripting attack against the remote host." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Oct/230" );
 script_set_attribute(attribute:"see_also", value:"https://docs.s9y.org/" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Serendipity 0.7rc1 or newer." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/10/21");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/10/21");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:s9y:serendipity");
script_end_attributes();

 
 script_summary(english:"Checks for the presence of Serendipity");
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencies("serendipity_detect.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 80);
 script_require_keys("www/serendipity");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if(!can_host_php(port:port))exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/serendipity"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  ver = matches[1];
  if (ver =~ "0\.([0-6][^0-9]|7-b)")
  {
   security_warning(port);
   set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
  }
}

References