Vulnerabilities > CVE-2016-10082 - Improper Access Control vulnerability in S9Y Serendipity

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

s9y

CWE-284

nessus

NVD

Published: 2016-12-30

Updated: 2017-01-03

Summary

include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.

Vulnerable Configurations

Part	Description	Count
Application	S9Y S9Y Serendipity 0.3 S9Y Serendipity 0.4 S9Y Serendipity 0.7 S9Y Serendipity 0.7.1 S9Y Serendipity 0.8 S9Y Serendipity 0.8.1 S9Y Serendipity 0.8.2 S9Y Serendipity 0.8.3 S9Y Serendipity 0.8.4 S9Y Serendipity 0.8.5 S9Y Serendipity 0.9 S9Y Serendipity 0.9.1 S9Y Serendipity 1.0 S9Y Serendipity 1.0.1 S9Y Serendipity 1.0.2 S9Y Serendipity 1.0.3 S9Y Serendipity 1.0.4 S9Y Serendipity 1.1 S9Y Serendipity 1.1.1 S9Y Serendipity 1.1.2 S9Y Serendipity 1.1.3 S9Y Serendipity 1.1.4 S9Y Serendipity 1.2 S9Y Serendipity 1.2.1 S9Y Serendipity 1.3 S9Y Serendipity 1.3.1 S9Y Serendipity 1.4 S9Y Serendipity 1.4.1 S9Y Serendipity 1.5.1 S9Y Serendipity 1.5.2 S9Y Serendipity 1.5.3 S9Y Serendipity 1.5.4 S9Y Serendipity 1.5.5 S9Y Serendipity 1.6 S9Y Serendipity 1.6.1 S9Y Serendipity 1.6.2 S9Y Serendipity 1.7 S9Y Serendipity 1.7.2 S9Y Serendipity 1.7.3 S9Y Serendipity 1.7.4 S9Y Serendipity 1.7.5 S9Y Serendipity 1.7.6 S9Y Serendipity 1.7.7 S9Y Serendipity 1.7.8 S9Y Serendipity 1.7.9 S9Y Serendipity 2.0 S9Y Serendipity 2.0.0 S9Y Serendipity 2.0.1 S9Y Serendipity 2.0.2 S9Y Serendipity 2.0.3 S9Y Serendipity 2.0.4 S9Y Serendipity 2.0.5	52

Common Weakness Enumeration (CWE)

CWE-284 - Improper Access Control

Common Attack Pattern Enumeration and Classification (CAPEC)

Embedding Scripts within Scripts
An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL family	CGI abuses
NASL id	SERENDIPITY_211.NASL
description	According to its banner, the version of Serendipity running on the remote host is prior to 2.1.1. It is, therefore, affected by multiple vulnerabilities : - A stored cross-site scripting (XSS) vulnerability exists in the templates/2k11/admin/category.inc.tpl script due to improper validation of the category and directory names before returning the input to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user
last seen	2020-06-01
modified	2020-06-02
plugin id	100789
published	2017-06-14
reporter	This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/100789
title	Serendipity < 2.1.1 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(100789); script_version("1.4"); script_cvs_date("Date: 2018/07/30 11:55:11"); script_cve_id( "CVE-2016-9681", "CVE-2016-10082", "CVE-2017-5474", "CVE-2017-5475", "CVE-2017-5476" ); script_bugtraq_id( 95095, 95165, 95652, 95656, 95659 ); script_name(english:"Serendipity < 2.1.1 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Serendipity."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of Serendipity running on the remote host is prior to 2.1.1. It is, therefore, affected by multiple vulnerabilities : - A stored cross-site scripting (XSS) vulnerability exists in the templates/2k11/admin/category.inc.tpl script due to improper validation of the category and directory names before returning the input to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-9681) - A local file inclusion flaw exists in the include/functions_installer.inc.php script due to improper sanitization of user supplied-input to the 'dbType' POST parameter. An unauthenticated, remote attacker can exploit this, via a specially crafted request that uses absolute paths, to include files on the targeted host, resulting in the disclosure of file contents or the possible execution of files as PHP scripts. (CVE-2016-10082) - A cross-site redirection vulnerability exists in the comment.php script due to improper validation of the HTTP referer header. An unauthenticated, remote attacker can exploit this, via a specially crafted link, to redirect an unsuspecting user from a legitimate website to a website of the attacker's choosing, which could then be used to conduct further attacks. (CVE-2017-5474) - A cross-site request forgery (XSRF) vulnerability exists in comment.php due to not requiring multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to cause the deletion of arbitrary comments. (CVE-2017-5475) - A cross-site request forgery (XSRF) vulnerability exists in unspecified scripts due to not requiring multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to cause the installation of event or sidebar plugins. (CVE-2017-5476)"); script_set_attribute(attribute:"see_also", value:"https://github.com/s9y/Serendipity/issues/433"); script_set_attribute(attribute:"see_also", value:"https://github.com/s9y/Serendipity/issues/439"); # https://github.com/s9y/Serendipity/commit/e2a665e13b7de82a71c9bbb77575d15131b722be script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?98bd3703"); # https://github.com/s9y/Serendipity/commit/6285933470bab2923e4573b5d54ba9a32629b0cd script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?93a3f574"); script_set_attribute(attribute:"see_also", value:"https://blog.s9y.org/archives/274-Serendipity-2.1.1-released.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Serendipity version 2.1.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/28"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:s9y:serendipity"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_dependencies("serendipity_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/serendipity"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("vcf.inc"); app = 'serendipity'; fix = '2.1.1'; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ {"max_version" : "2.1.0", "fixed_version" : "2.1.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE,xsrf:TRUE});

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References