CVE-2020-10964
📋 TL;DR
This vulnerability in Serendipity blog software allows remote attackers to execute arbitrary PHP code on Windows systems. Attackers can rename uploaded files to have a .php extension by exploiting filename handling with trailing dots. All Serendipity installations on Windows before version 2.3.4 are affected.
💻 Affected Systems
- Serendipity
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise with remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.
Likely Case
Webshell deployment leading to data theft, defacement, or use as part of a botnet.
If Mitigated
File upload attempts blocked or sanitized, preventing PHP execution.
🎯 Exploit Status
Exploit involves uploading a file and manipulating the rename operation to create a PHP file. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.4
Vendor Advisory: https://blog.s9y.org/archives/290-Serendipity-2.3.4-released-security-update.html
Restart Required: No
Instructions:
1. Backup your Serendipity installation and database. 2. Download Serendipity 2.3.4 from GitHub releases. 3. Replace all files except configuration files and uploaded content. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Disable file uploads
allPrevent file uploads entirely by disabling relevant plugins or functionality.
Restrict file extensions
allConfigure web server to block execution of uploaded files with .php extension.
For Apache: Add 'php_flag engine off' to .htaccess in upload directory
For Nginx: location ~ \.php$ { deny all; } in upload directory
🧯 If You Can't Patch
- Migrate Serendipity installation to Linux server where this vulnerability does not exist
- Implement strict WAF rules to block file uploads containing PHP extensions or suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if Serendipity version is below 2.3.4 and running on Windows. Review file upload functionality for ability to rename files with trailing dots.Check Version:
Check Serendipity version in admin dashboard or look for version.php file containing version information.Verify Fix Applied:
After patching, attempt to upload a file with trailing dot and verify it cannot be renamed to .php extension.📡 Detection & Monitoring
Log Indicators:
- File upload attempts with unusual filenames containing trailing dots
- File rename operations creating .php files in upload directories
- Web server logs showing execution of unexpected PHP files
Network Indicators:
- HTTP POST requests to file upload endpoints with manipulated filenames
- Unexpected outbound connections from web server after file upload
SIEM Query:
source="web_logs" AND (uri_path="/serendipity_admin.php" OR uri_path CONTAINS "upload") AND (filename CONTAINS "." OR response_code=200 AND uri_path ENDS WITH ".php")