Serendipity 2.0.2 Security Fix Release

Thanks to the report of Tim Coen (of Curesec GmbH) we were able to adress three security issues in the Serendipity Code.

The first issue was found because authenticed authors are allowed to upload files with extension .pht(ml), that can be executed for PHP code on Apache webserver configurations that use this suffix. If your blog allows upload access for untrusted authors, you should regard this issue as a critical risk.

The second issue is a missing escaping of comment approval tokens, when enabled in your blog which allows for possible SQL injection for data leak and DOS, and also an authenticated user must be tricked into clicking a specifically crafted URL to exploit this (medium risk).

The third issue is missing escaping of a commenting user's name by a javascript of the 2k11 theme (used by default) which is triggered when a user clicks on the "Reply" link (medium risk).

We have prepared two new releases for each of our currently maintained Serendipity version branches and suggest to update your Serendipity version:

  • 2.0.2 is the recommended release
  • 1.7.9 is the hotfix release for everyone not yet running Serendipity 2.x (you should!)

Check out the download locations for the release files.

Of course, everyone who is using our Github repository to checkout the Serendipity files will get the patches by pulling our 2.0 branch or the master (2.1.x) for our current development version.

Updating Serendipity is painless; upload/checkout the release files and go to the Administration suite where you can confirm the upgrade. Also, by using the auto-update plugin you can install the blog from within your administration suite once we are able to upload the release to our SourceForge repository (which is down right now).

We are happy to be able to coordinate this release with Tim and provide improved security for our users.

Trackbacks

Trackback-URL für diesen Eintrag

Kommentare

Ansicht der Kommentare: (Linear | Verschachtelt)

Ian am um :

Please Note: If you wait until tomorrow and update the Serendipity Autoupdate plugin to version 1.1.4 via Spartacus first, you can use the automatic update like ever! We have changed the download URL to fetch and check via GitHuB now. If you don't want to wait and are in a hurry, download this file and drop it onto yours 'plugins/serendipityeventautoupdate/serendipityeventautoupdate.php' file: https://raw.githubusercontent.com/s9y/additionalplugins/master/serendipityeventautoupdate/serendipityevent_autoupdate.php

Ian am um :

Maybe it is worth to mention here, that there are a bunch of other interesting fixes, upgrades, enhancements, etc coming with v.2.0.2 too. The addressed flaws were just the reason to get this immediately out now. :)

hoschi am um :

@1: Autoupdate failes, it seems to fetch the right checksum from the website, but either it fetches the wrong update or something other (with a different checksum).

Ian am um :

@hoschi Please use the forum for issues. The autoupdate is working with version 1.1.4, which was immediately updated after the 2.0.2 release. We changed the download and checksum origins, while sourceforge had troubles. If you already did update the autoupdater, and still have this message, please check, if you have a uncompleted download zip file in templates_c. A complete ones is about ~7.5 MB. Delete that file and autoupdate again then.

Anonym am um :

I just released Serendipity autoupdater plugin v.1.1.5, which can now automatically take care about previously broken download zips. Tomorrow on Spartacus.

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt