Serendipity 1.5.3 released, Security Issue with Xinha

Monday, May 10. 2010
Posted by Garvin Hicking in Announcements, Security

Comments (7)
Trackbacks (0)

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.


Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Thanks for the fast update! Is it also possible just to upgrade a few files?
#1 Berlinaut (Homepage) on 2010-05-11 00:49
Thanks. But on the left side of this page version 1.5.1 is still recommendated.
#2 public on 2010-05-11 09:50
Yeah! Why?
how about replacing "php-xinha.php" from the 1.5.3 file, does it solve the issue?
#2.1 bed (Homepage) on 2010-05-15 13:45
Thanks for your update.
#3 Luo Chunhui (Homepage) on 2010-05-13 15:28
Thanks a lot for your very fast reaction.
#4 JCG (Homepage) on 2010-05-13 23:02
Garvin, does replacing "php-xinha.php" from the 1.5.3 file solves the issue?
#5 Mandrake (Homepage) on 2010-05-14 19:05
err...

i don't know which version of serendipity i use - but i actually don't have the "contrib/"-directory in "htmlarea".

and there's no "php-xinha.php"-file anywhere.

in fact, i searched the whole installation and there is not a single thing called something like "xinha".


yes, i didn't update for... long time. but especially on this php-xinha-topic: should i be worried?

greets!
#6 sph on 2010-05-21 14:39

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 
 
 

Frontpage - Top level

 

Quicksearch


Categories


All categories

Archives


Development state

The current nightly/GitHub trunk state is: 1.7

Recommendation(s): Use 1.7 release

Please report issues and bugs on our Forums. Your help is very much appreciated.


Syndicate This Blog


More Feeds/Information

Event Plugins
Sidebar Plugins
s9y Github
Serendipity around the world