There's good and bad news.
The bad news are:
- A possible Cross-Site Scripting injection has been reported by Ilia Alshanetsky (thank you!), that allows commenting users to inject special markup into your entry.
- Another bug has been found in the handling of received comments. It was possible to receive comments for non-existing entries and thus allowed for mails being sent to the owner of the blog and injecting headers to that E-Mail. Ultimately this could lead to your server being used for sending specially crafted emails.
The good news are:
- Serendipity 0.8.3 has been released, which fixes this bug.
- The upgrade once again is very easy: Download the release, unpack the files to your webspace (overwriting old files, but keeping your personal plugins/templates/media files), open your blog administration and click on "Perform update". Always be sure to make a backup of your old files and database tables first and make sure that the files serendipity_config_local.inc.php and .htaccess are writable for your PHP/webserver user. If you have made manual changes to any of the bundled files, we suggest you to connect to our CVS or SVN repositories and make a diff of your changes.
- The XSS only allows for a reduced set of malicious exploits to occur. And as most of you authors possibly check the comments of your users on your blog, you would spot easily if a user is posting you "bad code".
- The current generation of "advanced web scanners", which scan HTML pages for XSS attacks does not find any more XSS loopholes on the pages produced by Serendipity.
The even better news are that also new features are introduced:
- We used this opportunity of a new release to backport some more (minor) bugfixes of the upcoming 0.9 release and updated our bundled libraries.
- Full korean language support with translation of almost all plugins, thanks to Wesley Hwang-Chung.
- New template hooks to allow plugins (serendipity_event_pagenugget) to output header/footer HTML nuggets.
- New configuration directive to configure the used Blog e-mail address for sending comments.
We are very sorry for the inconvenience this may cause to you. We are desperately trying to deliver all of our users a blog application as secure and feature-loaded as possible, but since we all are failing humans there are always errors that slip through. In every project, be it OpenSource or Commercial. We take it as a chance and opportunity, to fix bugs and issues reported to us and improve Serendipity to be the most stable blogging system available. This year has brought many XSS vulnerabilities and has raised the overall attention of code quality, which we feel is a good thing for every project.
Please also note that we are working hard on the current 0.9 version of Serendipity. This introdudes flexible and granular privilege control, custom permalinks, per-category templating, UTF-8 languages and much much more. Read our ChangeLog for more information and check out the nightly snapshot in our download area. Feedback, as always, is appreciated.
In the end, have fun with Serendipity! :-)
Download link: Serendipity 0.8.3
On behalf of the Serendipity Team,
Garvin