Serendipity 0.8.5 released

Thanks to Nenad Jovanovic (a pleasure to have worked with), we were notified of a serious problem with hijacking Serendipity functionality under certain circumstances when users are tricked on foreign malicious websites.

The effects of that issue resulted in the possibility that when people know the URL to your Backend, they were able to change your user password and lock you out of the system. However you were required to do two things for this to work: First you'd need to be logged in to your Serendipity backend via a session or permanent cookie, and second you would need to visit the webpage of a malicious user.

As a follow-up to this problem, it came to our attention that Serendipity (like many other web applications - watch the next releases of your favourite software in the next days) can be subject to XSRF ("Cross Site Request Forgery") attacks. All web applications that depend on session cookies and have their backend URL known to the public can be tricked into those XSRF attacks when not verifying the origin of a submitted HTML form.

Serendipity 0.8.5 addresses this problem by introducing HTML-form tokens. Only if they are set, the administrative tasks requested will be carried out - and foreign websites can not get that token under usual circumstances.

It is strongly suggested to upgrade to Serendipity 0.8.5! The development versions of 0.9 also fixed this bug, please read the separate 0.9-beta1 announcement for more information.

Updating from any Serendipity version is easy: Backup first, then extract the release files over your old installation, make sure the files .htaccess/ are writable, login to Serendipity and be guided through the automatic upgrade process.

Download the release here

Serendipity 0.9-beta1 released

The Serendipity Team is very proud to present the first beta release of Serendipity 0.9. This version has been in development for about half a year, and alpha version nightlies/snapshot have been available ever since. Thus, many people already got a hang of the large feature improvements since Serendipity 0.8.

The nightlies have been reported as quite stable, and there are no open bugs known to us - so now it's your turn to have a try!

Upgrading from any version to Serendipity 0.9 is easy and can be done as before: Just unpack the release files to your existing directory, go to your admin panel and confirm the upgrade process. Serendipity automatically upgrades your database and tells you of important changes. If you are upgrading from a version prior to Serendipity 0.8, be sure to read this upgrade pointer:

With the same method you can later upgrade to the 0.9 final release, so you won't put yourself in danger when trying out the release.

Now here's a list of major new changes since Serendipity 0.8:

  • Flexible usergroup management. Authors can now be grouped inside usergroups and can have certain privileges (edit entries, upload images, maintain plugins, ...). An author can be a member of more than one groups, inheriting all privileges of each group he is a member of. You can also now adjust read/write permissions for each category.
  • Custom Permalink support. Allows to configure the URL path structure from all important permalinks to suit your needs - you can now use /oldEntries/2005/10/28/Garvins-Birthday.html as entry permalink format or any other structure you may like.
  • UTF-8 support for all languages and bundled/additional plugins. Be sure to read for migrating an non-UTF-8 blog to UTF-8
  • Improved performance of Plugin API, introduce validation of config items within the API
  • Improved Spartacus Online Repository. Less memory usage, now also fetch templates over the web, plugin groups and better integration with the plugin backend
  • Better usability: Multiple fileupload at once, media manager remembers last used settings, when deleting entries/comments you return to the overview immediately, foundation to support other WYSIWYG editors via plugin (TinyMCE, Xinha, FCKEditor)
  • Atom 1.0 Feed support
  • Improved MoveableType import, recognizing comments and trackbacks
  • Support of MySQL boolean fulltext search
  • More smarty templating options: Added new CSS classes in the default template to support styling trackback/comment/commentform/search-results easier. Localized "Reply" string. Optimized performance of accessing constants.
  • Support frontend viewing of multiple selected categories and allowing the entryproperties plugin to hide certain entries from the frontpage.
  • Support Gregorian/Jalali calendar
  • New translations: Swedish, Hungarian, European Portuguese
  • Bugfix: Category selector will now act correctly in Konqueror and Opera
  • Bugfix: Importers can now import from tables that are not inside the same database as Serendipity

And those are only the highlights! See the docs/NEWS file in the release file for the full list of changes.

Now what are you waiting for? Download latest release!