Serendipity 0.8.5 released
Posted by Garvin Hicking in Announcements, Security
Comments (0)
Trackbacks (7)
Thanks to Nenad Jovanovic (a pleasure to have worked with), we were notified of a serious problem with hijacking Serendipity functionality under certain circumstances when users are tricked on foreign malicious websites.
The effects of that issue resulted in the possibility that when people know the URL to your Backend, they were able to change your user password and lock you out of the system. However you were required to do two things for this to work: First you'd need to be logged in to your Serendipity backend via a session or permanent cookie, and second you would need to visit the webpage of a malicious user.
As a follow-up to this problem, it came to our attention that Serendipity (like many other web applications - watch the next releases of your favourite software in the next days) can be subject to XSRF ("Cross Site Request Forgery") attacks. All web applications that depend on session cookies and have their backend URL known to the public can be tricked into those XSRF attacks when not verifying the origin of a submitted HTML form.
Serendipity 0.8.5 addresses this problem by introducing HTML-form tokens. Only if they are set, the administrative tasks requested will be carried out - and foreign websites can not get that token under usual circumstances.
It is strongly suggested to upgrade to Serendipity 0.8.5! The development versions of 0.9 also fixed this bug, please read the separate 0.9-beta1 announcement for more information.
Updating from any Serendipity version is easy: Backup first, then extract the release files over your old installation, make sure the files .htaccess/serendipity_config_local.inc.php are writable, login to Serendipity and be guided through the automatic upgrade process.
Version 0.8.5 von Serendipity fixt einen augenscheinlich ziemlich hässlichen Bug, daher: updaten.
Tracked: Sep 29, 21:01
Today i've updated my blog to version 0.8.5 link to the serendipity blog...
Tracked: Sep 29, 21:38
In Serendipity 0.8.5 released schreibt Garvin: Thanks to Nenad Jovanovic (a pleasure to have worked with), we were notified of a serious problem with hijacking Serendipity functionality under certain circumstances when users are tricked on foreign malici
Tracked: Sep 29, 22:02
Gelesen bei Kris und im s9y-Blog. Update sofort bzw. so schnell als möglich, wenn es auch nicht ganz so kritisch ist. Das Update funktionierte bei mir ohne Probleme.
Tracked: Sep 30, 01:48
s9y QUOTE:Thanks to Nenad Jovanovic (a pleasure to have worked with), we were notified of a serious problem with hijacking Serendipity functionality under certain circumstances when users are tricked on foreign malicious websites. The effects of that i
Tracked: Sep 30, 07:48
Ich hab gar nicht mitbekommen, dass bereits seit Donnerstag eine neue Serendipity-Version raus ist. Da das Update wieder mal empfohlen wird, habe ich das so eben eingespielt. Die Installation verlief mal wieder absolut problemlos. Einfach drüber kopieren,
Tracked: Sep 30, 22:15
Wie berichtet gibts ein neues update, habe ich natörlich "sofort" heute installiert :P und es gibt sogar eine beta zu s9y 0.9!
Tracked: Sep 30, 22:28