Case CVE-2013-5670

Sammy from OpenSysCom company found XSS-vulnerability in spell-check-savedicts.php from Serendipity software and emailed about it to public in 2012-07-06, but failed to coordinate and fix this security vulnerability with Serendipity upstream developers. In other words this was uncoordinated disclosure. This is exemplary case why proper vulnerability coordination, communication and co-operation is needed to ensure software security. I have no knowledge if or how Sammy tried to contact developers, but Serendipity project never got notification of this vulnerability before I contacted Garvin Hicking 2013-08-22. He replied next day telling me that he has just commited fix against this vulnerability to 1.7 and 2.0 maintanance repositories. Users of Serendipity can also mitigate this issue by removing the file htmlarea/plugins/SpellChecker/spell-check-savedicts.php completely. New version 1.7.3 was released to fix this security vulnerability, which took six days from vendor after report so vendor ack/solution time clearly was not the problem.

Proof-of-concept:

http://example.com/serendipity/htmlarea/plugins/SpellChecker/spell-check-savedicts.php?to_r_list=%3Cscript%3Ealert%28123%29%3C/script%3E/

National Vulnerability Database describes CVE-2013-5670 as:

Cross-site scripting (XSS) vulnerability in spell-check-savedicts.php in the htmlarea SpellChecker module, as used in Serendipity before 1.7.3 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the to_r_list parameter.
CVE was requested and assigned in oss-security mailing list and issue has been even listed in OSVDB for over 12 months now.
CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
This was not very critical security vulnerability, but could have been used by malicious attacker to get session identifiers from logged in administrator. People behind vulnerability databases could implement a feature to send automatic emails about new vulnerabilities to vendor’s contact email if such was known or reported to the project.