Security

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.

Thanks to Niels Provos we have been informed of a security issue in the Serendipity Freetag plugin (serendipity_event_freetag). Versions up to 3.08 contained a bug that was not properly escaping a GET variable used in an SQL statement, leading to a possible SQL injection attack.

The impact of this is considered to be low, as the query used is only for displaying Meta keywords inside a blog entry, and usual mysql-Client libraries to not allow to execute multiple stacked SQL queries to drop tables etc.

Nevertheless, you should upgrade this plugin version. It is available on Spartacus, or for manual download.

Since quite some time, Serendipity uses old-fashioned md5 hashes to secure your passwords for logins to the backend.

Because mechanisms to crack md5 hashes with rainbow tables or even "dictionary hash"-lookups are getting more and more popular, we have decided to finally take the step to raise the serendipity hashing mechanism to something salted, and more secure (SHA1). Even though md5 hashes are still reasonably(!) safe when you use long, randomized passwords, the old-style hashing is a one-way route to hell.

Serendipity has always been had high tributes to backwards compatibility and ease-of-use and ease-of-upgrading, we have decided to take the "soft" upgrade approach. That means, new Serendipity versions will accept your old MD5 login ONCE, and then will use your user-specified password to create the safer hash and store that to the database.

This will help in hypothetical attack situations, where someone might have gotten hand on your hash values stored inside the database, because he will no longer be able to reverse-engineer your original password.

We could need help from any developer or betatester trying out the new functionality. Upgrading to the latest snapshot (get it from the s9y nightly downloads) with Serendipity 1.5-alpha2 will deploy the necessary database upgrades. Note that the one-time MD5-login is only possible in the first 6 months after you performed the installation of this serendipity version (through a saved timestamp in the database), and after that timespan, you can no longer login with the old password and must reset your password through the Administrator (or manual means, if you are the administrator).

Once you perform the update (do not try this on production blogs currently), everything should continue as usual. If it does not, please report your exact problems here or in the Forums. It is suggested that once you have the new serendipity version you change your password, so that nobody that might have already gotten your old md5 hash can use the reverse-engineered password to login again with the new hash created from the same original password.

Feedback is appreciated. The current mechanism is subject to change and currently more a proof-of-concept - feedback will most definitely lead to improvement. :-)

Serendipity 1.3.1 has been released. This is a bugfix and security related release, basically adressing a potential XSS issue within the Top Referrers plugin as well as hypothetical XSS issues with the installer.

This release also adresses some basic PostgreSQL8 related problems, because implicit type casts have been removed from this version, causing breakage with several Serendipity core features. The fix for this is only partial and will still happen in (less common) functions of Serendipity. There is no ultimate solution to this because implicit type casts are required for certain entryproperty operations. Maybe the PostgreSQL8 team will think about if implicit type casts are not also quite helpful. ;-)

The only new feature addition is the exposition of a new smarty {serendipity_getImageSize} function.

This upgrade is recommended for users that use the Top Referrers plugin and new installations of Serendipity. Many thanks to Hanno Böck, once again, for reporting (and fixing) the two XSS issues (CVE-2008-1385 and CVE-2008-1386)!

You can find the new release on the s9y.org download page. Upgrade by simply uploading the deflated archive files to your webspace.

Serendipity 1.3 has finally been released. The new release is mainly a feature consolidation release, but also contains XSS security fixes:

• The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.
• Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
• An importer for phpNuke and lifetype has been added.
• Support for pingbacks has been improved a lot. Trackbacks can now be blocked based on Sender IP checks.
• Add better CSS styling for some internal plugins and the embedding of images. Also made the Remote-RSS plugin to be capable of Smarty-Templating.
• Increased Smarty templating features for the {serendipity_fetchPrintEntries} function, to be able to check for entry properties.
• Add support for SQRelay.
• Minor CSS and graphic updates to the Bulletproof template.

The full list of 41 changes to this release are documented within the NEWS file.

Regarding Security, the bundled Smarty library has been updated to version 2.6.19 and adresses an issue in environments where the PHP security mode is required. Also, the new Serendipity release contains tighter backend XSS checks so that environments with untrusted authors can be more secure - many thanks to Hanno Böck for addressing this. Most importantly, an issue with XSS attacks within received trackbacks has been discovered by Peter Hüwe and was fixed.

The update is easy as usual, and recommended for Serendipity users - especially if you do not regularly moderate or check your incoming trackbacks.

Upgrade pointers can be found in the FAQ and is as easy as just to upload the new files.

Have fun!

The Freetag plugin has been updated to version 2.96 to fix a possible XSS to the tagcloud output.

XSS attacks can be used by visitors to display foreign HTML or JavaScript to visitors of the blog, if they visit specially crafted URLs. This attack basically allows for cookie stealing.

Users of the freetag plugin should upgrade to the latest version; upgrading via Spartacus-Plugin or Spartacus.s9y.org is just a matter of a few minutes. Thanks to Alex from Bitsploit.de for reporting this issue to us.