Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit

Sunday, June 17. 2007
Posted by Garvin in Announcements, Development, Security

Comments (18)
Trackbacks (0)

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file include/functions_comments.inc.php and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

to

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.


Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Done. Thanks for the info and quick fix (modding the comments.inc.php).
#1 Neut (Homepage) on 2007-06-17 14:49 (Reply)
Thx for the info. I've made a whole upgrade...
#2 sqall (Homepage) on 2007-06-17 15:22 (Reply)
Just upgraded from v1.1.1 to v1.2 beta 2. Thanks.
#3 deminy (Homepage) on 2007-06-17 17:21 (Reply)
Fast as lightning! Thanks a lot, Garvin! :)
#4 Manuel Charisius (Homepage) on 2007-06-17 19:11 (Reply)
Thx...Very fast. I made a whole update, but this patch works also well...
#5 Ben (Homepage) on 2007-06-17 23:48 (Reply)
Too bad the late great hacker Dr. Neal Krawetz didn't find this vulnerability. He just checked his http logs after getting owned.
#6 disgruntled user on 2007-06-18 00:10 (Reply)
How was he owned? As of 10 minutes ago, he seems to be running a non-vulerable version of s9y. I've sent him an email asking about this.
#6.1 Really? on 2007-06-18 05:30 (Reply)
That was fast. He just wrote back and included some of his logs. He says he wasn't owned and his logs show someone trying different SQL variations for more than 12 hours without success.

Hey disgruntled user: his last log entry was from a few hours ago, just before your posting here. Are you the guy at 24.154.233.208 who failed to own his blog?
#6.1.1 Really? on 2007-06-18 06:08 (Reply)
thx!

that was very fast.
i love this software ;)
#7 Niels (Homepage) on 2007-06-18 08:57 (Reply)
Awesome! Thanks!
#8 Hasdne on 2007-06-18 11:31 (Reply)
Thanks for the fix!

I did mod the code. Seemed to be the fastest way. No need to upload the full package again when it's only 1 line of code that has changed.

Thanks again!

Paws ^^
#9 Paws (Homepage) on 2007-06-18 14:21 (Reply)
Thanks! *fixed
#10 Ben (Homepage) on 2007-06-18 19:16 (Reply)
Thanks.
Great Software. :-)
#11 Kangaxx (Homepage) on 2007-06-22 11:02 (Reply)
italian blogger :P
#12 scatterhead (Homepage) on 2007-06-25 01:29 (Reply)
Thanks for the fast fix and the info to prevent a full upgrade...
#13 Andy (Homepage) on 2007-06-25 14:34 (Reply)
Thanks a lot. Just updated! ;-)
#14 Jörg (Homepage) on 2007-06-26 10:17 (Reply)
thanks very much, updated it
#15 Luca (Homepage) on 2007-06-27 19:45 (Reply)
Thanks for the fix! Very important for me :)
#16 verb0ten (Homepage) on 2007-06-28 16:14 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 
 
 

Frontpage - Top level

 

Quicksearch


Categories


All categories

Archives

May 2008
April 2008
March 2008
Recent...
Older...

SVN/CVS state

The current nightly/SVN trunk state is: testing 1.4

News: Performance of entryproperties-plugin

Recommendation(s): Use 1.3 release

Please report issues and bugs on our Bugtracker. Your help is very much appreciated.


Syndicate This Blog


More RSS Feeds

Event Plugins
Sidebar Plugins
SVN/CVS commits
Serendipity around the world

Serendipity-Handbuch jetzt vorbestellen


Das offizielle, umfassende Serendipity-Handbuch für Einsteiger und Profis ist beinahe fertig. Jetzt vorbestellen bei Amazon oder Open Source Press!