Security

The Serendipity Team is proud to present the final release and immediate availability of Serendipity 1.2.

This release is a feature consolidation release and focuses on small usability improvements, a shiny new template (bulletproof) as well as backend templating and backend login mechanisms as well as some tighter security restrictions.

Some more changes in depth are:

• Templates: The new bulletproof template is an awesome example to show off Serendipity's cool template options. This template allows you to easily configure the look of your Serendipity site: Place navigation links, choose sidebar layouts, indicate if you want to use/show trackbacks and comments, pick your custom header image or even custom colorsets. Don Chambers, Matthias Mees and David Cummins as well as other contributors have worked very hard on this template that provides an awesome, unified template structure. Go to their site at http://s9y-bulletproof.com to check out the details!
• Templates: The admin backend (overview page and entry editor) can now be styled via Smarty and gives you the full flexibility to make a custom look of the backend. Plus, more CSS classes have been added to the default admin theme that make CSS-only changes much easier. Templates now also can have large preview images by clicking on their thumbnail.
• Usability: Moved the problematic option to withdraw your own privileges from personal configuration to the user configuration panel.
• Feature: Added SQLite3 and PDO:PostgreSQL support.
• Feature: Allow to configure whether article overviews for a certain category should include articles of subcategories or not.
• Performance: Improved SQL performance for archive overview generation and permalink lookups.
• Plugins: Plugins can now hook in much earlier to make external authentication easier (like trough the OpenID plugin).
• Spam: Enhanced the spamblock plugin with captcha previews, .htaccess generation and some more options.
• Security: Stronger autologin cookie encryption and template option handling, thanks (once again) to Stefan Esser. Proper session fixation prevention, thanks to David Vieira-Kurz.
• Bugfix: Sending pingbacks now properly works.
• Bugfix: The Track-Exits plugin now properly tracks links in conjunction with the caching of the entryproperties plugin.

The full list of changes can be found in the NEWS-file of the release.

You can download the new release as always on the Serendipity homepage at http://www.s9y.org/3.html. Updating is easy: Just upload the new files, visit your Serendipity installation and let the upgrader do the rest.

After the upgrade you might want to purge your browser's cookies (due to the new authentication mechanism of Serendipity 1.2) to prevent login problems. Detailed upgrade instructions can be found in the FAQ on our website.

Enjoy Serendipity, and thanks to everyone who participated in the release process!

For the team,
Garvin.

Thanks to Erich Schubert, we were made aware of a bug and security issue in the Plugin Extended properties for entries. Since this plugin is delivered with the core release, we have created a new Serendipity release for both the current stable 1.1 version tree, as well as a new 1.2 beta version.

Serendipity Users that are using the mentioned plugin do not need to upgrade the full release, they can just fetch the updated version of the plugin through this direct link. Put that updated file into your plugins/ serendipity_event_entryproperties/ serendipity_event_entryproperties.php file.

The actual bug was, that people were able to deliver custom entryproperties settings to the Serendipity Frontend via a HTTP-Request, which made them able to bypass a possibly used passwort protection. Any other restriction of viewability of entries done via category read-privileges were not affected, though.

Bottom line is: If you are using password protection for entries, this security update is mandatory for you. Also if you were generally using the entryproperties plugin (which is not installed by default in Serendipity), you are urged to update your plugin. Only people not using this plugin need not care about this issue.

You can download the new full releases as always on the Serendipity download page.

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file include/functions_comments.inc.php and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

to

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.

This evening we were notified by fellow co-developer Sebastian Nohn about a full-disclosure posting about a Serendipity SQL injection matter. We have investigated this reported 0day issue, and can tell you that it is not a SQL injection,but instead "only"an SQL error display.

No SQL can be injected using the described method. Because of an invalid category ID, serendipity tries to show entries for that category, but the resulting SQL string contains an emtpy "(())" statement which makes the MySQL parser fail, and report the error on-screen. The SQL queries that Serendipity uses are not secret, and could be looked up in the sourcecode as well.

Even though we consider this issue to be fairly low-impact, Serendipity 1.1.2 has been released because of this, mainly to assure the public that we have addressed the issue. It is not critical that you upgrade to that release. If you do, it is sufficient to update the include/functions_entries.inc.php file. The only change made to that function is documented here

We would also like to express, that we kindly appreciate all bug and security reports about Serendipity, and take them and our responsibility very seriously. Also rest assured that if you contact us developer first before publishing security advisories, we always cooperate, pay credit and fix issues immediately, as we have done in the past. So we look forward to working together with SaMuschie in the future, who seems to taking some serious work in checking security issues - good work on that! :-)

The latest release can be downloaded here. This fix has also been committed to the daily snapshots.

The Serendipity Team is proud to release the Serendipity Weblog version 1.1 to the public.

This new version is aimed for feature enhancement and stability consolidation. The most important change is the overhaul of the media database, which vastly enhances the already obvious superiority of Serendipity's Media management. In depth this means that you can now store and customize meta properties easily - store descriptions, EXIF-Tags and keywords which you can later see and search in your database. You can also now assign detailed privileges for each directory of the media database, and the output is now completely templated. Yes, that means you can customize and style your very own media database, both effective in the backend and the frontend.

The other important change is more granular plugin permission management. You can enable/disable certain markup-plugins on a per-entry basis, and allow/forbid specific usergroups to access certain plugins.

Another visual apparent change is the overhaul of the plugin manager. You can now drag'n'drop order and move your plugins around. Together with the ability of templates to specific the amount and names of sidebars, you have virtually unlimited flexibility for plugin management!

Templating has also intensively been upgraded in the respect of themes being able to specify custom "options". A theme could allow you to choose navigation links, colorsets and much more. Explore the possibilites! Many themes by Carl Galloway and other great designers from our forums have already used that feature to provide you with many cool options!

For the developers among us, it might be of interest to note that Serendipity now also supports easy custom template-engine support. Tired of Smarty? You can also use a plain old PHP template emulation or even a XSLT-transformation layer (read more on this topic here).

Of course we have not only focussed on injecting features, but also fixed some minor bugs, a huge-impact central SQL query optimization and glitches and smaller improvements. In total we have 29 feature improvements, 24 bugfixes and 21 usability/technical improvements. For intense reports on this either read our NEWS-file or past 1.1-beta announcements here and there.

Upgrading is easy as always: Download, unpack, go to your Admin panel, done. Read more here: Serendipity FAQ. The download is available here: Serendipity Download Page.

We hope you'll have fun with this new release and continue to make Serendipity an ever-improving system. Let's have a great 2007!

This new Serendipity release addresses a local file inclusion security issue discovered yesterday. It was possible to give a special parameter to a serendipity file to include a file on your own web-tree (or other files the webserver has read access to). If used on clear-text files, this could be used to disclose information like the apache logfiles on your website.

This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.

However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us.

Most of the plugins (both bundled and available via spartacus) were upgraded to also circumvent that bug, so you should upgrade all of your active plugins to the recent versions as well.

The Serendipity 1.1 release tree was also modified with a patch for this issue. It will be contained in todays snapshot, and the 1.1-beta6 release file. The easy steps to perform an upgrade are documented in our FAQ on http://www.s9y.org/.