This new Serendipity release addresses a local file inclusion security issue discovered yesterday. It was possible to give a special parameter to a serendipity file to include a file on your own web-tree (or other files the webserver has read access to). If used on clear-text files, this could be used to disclose information like the apache logfiles on your website.
This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.
However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us.
Most of the plugins (both bundled and available via spartacus) were upgraded to also circumvent that bug, so you should upgrade all of your active plugins to the recent versions as well.
The Serendipity 1.1 release tree was also modified with a patch for this issue. It will be contained in todays snapshot, and the 1.1-beta6 release file. The easy steps to perform an upgrade are documented in our FAQ on http://www.s9y.org/.
- superBlog on : Serendipity 1.0.4
- Aufrechte Neuigkeitenverbreitung Vauzwei on : Kleinkram: Shopping, Serendipity 1.0.4
- ridcully.info on : Serendipity Update
- Bloganbieter.de on : Serendipity in Version 1.0.4 released
- Nur ein Blog on : Serendipity 1.0.4. downloadbar
- laemmys blog on : s9y update
- Doomshammer's Weblog on : S9Y updated
- Der Freizeitblogger on : Auch ich hab upgedatet
- Raimondo Fanale on : aggiornato serendipity ed il template