Serendipity 1.0.4 released!

This new Serendipity release addresses a local file inclusion security issue discovered yesterday. It was possible to give a special parameter to a serendipity file to include a file on your own web-tree (or other files the webserver has read access to). If used on clear-text files, this could be used to disclose information like the apache logfiles on your website.

This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.

However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us.

Most of the plugins (both bundled and available via spartacus) were upgraded to also circumvent that bug, so you should upgrade all of your active plugins to the recent versions as well.

The Serendipity 1.1 release tree was also modified with a patch for this issue. It will be contained in todays snapshot, and the 1.1-beta6 release file. The easy steps to perform an upgrade are documented in our FAQ on http://www.s9y.org/.

Trackbacks

Trackback specific URI for this entry

Comments

Display comments as (Linear | Threaded)

Manuel Charisius on at :

That's what I call a fast response to a security issue! Thanks a lot, Garvin!

BTW, the links to 1.1-beta6 on the download page haven't been updated yet (they're still pointing to Beta 5).

Best regards,
-Manuel

moo on at :

Excellent. This kind of responsible, proactive, approach to security is why I plan to be a long-term serendipity user. Thanks!!

z on at :

Where is the documentation for the installation? It would be good if it was on the zip itself, not on the webpage! Now where can I find it!?

Garvin on at :

Hi!

Documentation always changes and is enlarged, so packing it offline in a ZIP is not clever.

Our documentation is on www.s9y.org, you sadly have to wait until our server is restored.

Regards,
Garvin

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed