Serendipity 0.8.5 released – Serendipity

Thanks to Nenad Jovanovic (a pleasure to have worked with), we were notified of a serious problem with hijacking Serendipity functionality under certain circumstances when users are tricked on foreign malicious websites.

The effects of that issue resulted in the possibility that when people know the URL to your Backend, they were able to change your user password and lock you out of the system. However you were required to do two things for this to work: First you'd need to be logged in to your Serendipity backend via a session or permanent cookie, and second you would need to visit the webpage of a malicious user.

As a follow-up to this problem, it came to our attention that Serendipity (like many other web applications - watch the next releases of your favourite software in the next days) can be subject to XSRF ("Cross Site Request Forgery") attacks. All web applications that depend on session cookies and have their backend URL known to the public can be tricked into those XSRF attacks when not verifying the origin of a submitted HTML form.

Serendipity 0.8.5 addresses this problem by introducing HTML-form tokens. Only if they are set, the administrative tasks requested will be carried out - and foreign websites can not get that token under usual circumstances.

It is strongly suggested to upgrade to Serendipity 0.8.5! The development versions of 0.9 also fixed this bug, please read the separate 0.9-beta1 announcement for more information.

Updating from any Serendipity version is easy: Backup first, then extract the release files over your old installation, make sure the files .htaccess/serendipity_config_local.inc.php are writable, login to Serendipity and be guided through the automatic upgrade process.

Download the release here