Serendipity 1.1.4 released, security bug in entryproperties plugin

Thanks to Erich Schubert, we were made aware of a bug and security issue in the Plugin Extended properties for entries. Since this plugin is delivered with the core release, we have created a new Serendipity release for both the current stable 1.1 version tree, as well as a new 1.2 beta version.

Serendipity Users that are using the mentioned plugin do not need to upgrade the full release, they can just fetch the updated version of the plugin through this direct link. Put that updated file into your plugins/ serendipity_event_entryproperties/ serendipity_event_entryproperties.php file.

The actual bug was, that people were able to deliver custom entryproperties settings to the Serendipity Frontend via a HTTP-Request, which made them able to bypass a possibly used passwort protection. Any other restriction of viewability of entries done via category read-privileges were not affected, though.

Bottom line is: If you are using password protection for entries, this security update is mandatory for you. Also if you were generally using the entryproperties plugin (which is not installed by default in Serendipity), you are urged to update your plugin. Only people not using this plugin need not care about this issue.

You can download the new full releases as always on the Serendipity download page.


Trackback-URL für diesen Eintrag

  • Keine Trackbacks


Ansicht der Kommentare: (Linear | Verschachtelt)

Noch keine Kommentare

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt