Serendipity 0.8.4 released

Serendipity 0.8.4 has been released today. As mentioned in this blog post, this release addresses the security issues with the PEAR:XML_RPC library.

If you already deleted your serendipity_xmlrpc.php file, an upgrade is not required. If you do not want to upgrade, just delete your current serendipity_xmlrpc.php file and you will not be affected by security issues.

Anyone who wants to use XML-RPC posting to Serendipity will now need to install the XML-RPC posting plugin, as discussed in the blog entry mentioned above.

This release also addresses a few other minor issues:

  • Fix the problem that sometimes calendar images are displayed too large in the Internet Explorer
  • Hide title of an entry when an entry is a draft (Bug #1260667)
  • Allow Serendipity to use an existing PEAR installation on the server. Set "$serendipity['use_PEAR'] = true;" in your serendipity_config_local.inc.php or serendipity_config.inc.php file. The required packages can be found in the bundled-libs/.current_version file.
  • Append the comment id to the mail that is sent to subscribers of an entry, so that they can jump to the submitted comment immediately.

You can download the release here: Download. SVN (tags/0.8.4) and CVS (HEAD) repositories have also been updated.

Have fun with Serendipity!

XML-RPC API unbundled from Serendipity 0.9

In the current development version of Serendipity, we have unbundled the XML-RPC API functions from the release version and made the functionality to post entries via XML-RPC (MT/Blogger API) calls available as a additional plugin called Post via XML-RPC (serendipity_event_xmlrpc).

The reason for this is that very few people use XML-RPC posting to our experience, and it is a inherent security risk to have this functionality available if you don't use it, as the past has proven. To overcome this possible vulnerability, you need to now actively install the mentioned plugin to make XML-RPC posting available. Sending and receiving trackbacks is NOT affected by this, only the "Server"-Part of that API is.

The URL for the API endpoings will not change; if you have not installed the plugin, you will see an error message displayed. Outsourcing this functionality as a plugin allows the Serendipity Team to respond easier to new issues with the plugin and make enhancements to the XMLRPC module.

A general advice for Serendipity 0.8.3 users is to remove the serendipity_xmlrpc.php file if you do not use XML-RPC entry posting.

New security/bugfix release: Serendipity 0.8.3 is out

There's good and bad news.

The bad news are:

  • A possible Cross-Site Scripting injection has been reported by Ilia Alshanetsky (thank you!), that allows commenting users to inject special markup into your entry.
  • Another bug has been found in the handling of received comments. It was possible to receive comments for non-existing entries and thus allowed for mails being sent to the owner of the blog and injecting headers to that E-Mail. Ultimately this could lead to your server being used for sending specially crafted emails.

The good news are:

  • Serendipity 0.8.3 has been released, which fixes this bug.
  • The upgrade once again is very easy: Download the release, unpack the files to your webspace (overwriting old files, but keeping your personal plugins/templates/media files), open your blog administration and click on "Perform update". Always be sure to make a backup of your old files and database tables first and make sure that the files serendipity_config_local.inc.php and .htaccess are writable for your PHP/webserver user. If you have made manual changes to any of the bundled files, we suggest you to connect to our CVS or SVN repositories and make a diff of your changes.
  • The XSS only allows for a reduced set of malicious exploits to occur. And as most of you authors possibly check the comments of your users on your blog, you would spot easily if a user is posting you "bad code".
  • The current generation of "advanced web scanners", which scan HTML pages for XSS attacks does not find any more XSS loopholes on the pages produced by Serendipity.

The even better news are that also new features are introduced:

  • We used this opportunity of a new release to backport some more (minor) bugfixes of the upcoming 0.9 release and updated our bundled libraries.
  • Full korean language support with translation of almost all plugins, thanks to Wesley Hwang-Chung.
  • New template hooks to allow plugins (serendipity_event_pagenugget) to output header/footer HTML nuggets.
  • New configuration directive to configure the used Blog e-mail address for sending comments.

We are very sorry for the inconvenience this may cause to you. We are desperately trying to deliver all of our users a blog application as secure and feature-loaded as possible, but since we all are failing humans there are always errors that slip through. In every project, be it OpenSource or Commercial. We take it as a chance and opportunity, to fix bugs and issues reported to us and improve Serendipity to be the most stable blogging system available. This year has brought many XSS vulnerabilities and has raised the overall attention of code quality, which we feel is a good thing for every project.

Please also note that we are working hard on the current 0.9 version of Serendipity. This introdudes flexible and granular privilege control, custom permalinks, per-category templating, UTF-8 languages and much much more. Read our ChangeLog for more information and check out the nightly snapshot in our download area. Feedback, as always, is appreciated.

In the end, have fun with Serendipity! :-)

Download link: Serendipity 0.8.3

On behalf of the Serendipity Team,
Garvin