Arbitrary header inclusion in "Mail Entry" plugin

Thanks to a user on the Forums I was notified of an arbitrary Header injection issue of the "Mail Entry" plugin. This plugin is only available in our additional_plugins repository and neither bundled nor installed by default, and a not frequently used plugin (according to the forum messages). In this plugin it was possible for spammers to inject arbitrary E-Mail header fields into an email that was passed to the PHP mail() function. This can lead to your server being used as a SPAM or phishing mail relay. It does not affect compromising SQL or author data or makes your blog as such insecure. Many Mail servers also do not let spam mails like these go through, if they make apply some level of relay checking. The additional_plugins repository contains several plugins from other people, for which the Serendipity developers can only taken a ground-level of responsibility. We leave much of the responsibility up to the authors, even though we perform several tests on new plugins, and we are very sorry for this security issue in the plugin. We strongly advise plugin authors to use the serendipity_sendMail() function to send E-Mails, which applies some validation of E-Mail headers. Version 1.20 of the plugin has just been committed and can be fetched from CVS after the usual SourceForge anonymous lag of about 24 hours. Users of that plugin are urged to either remove that plugin or temporarily deactivate it until they have upgraded to the new version.

New plugins: Markread, Showentries

I've committed two new plugins to the repository. First the serendipity_event_markread ("Show read/unread state of entries for visitors"), which is a plugin that allows to you mark entries as read for your visitors. Just as the description says *g*. This is very usable for aggregator-sites; the plugin offers new smarty variables (look at the PHP code for info) so that you can custom style your entry layout depending on the read state of an entry.

You could, for example, show the extended body for all unread entries, and only show the first 20 characters for all read entries. Use the power!

The read state is saved in an additional DB table and sets a cookie to remember your visitor ID. If you're a registed author/user of a blog, it will set your cookie in a way that you can also log on to other computers where the read state will also be carried over to. As anonymous user, your read-state will be per-computer.

The second plugin is serendipity_plugin_showentries ("Show entries in sidebar"). It allows you to show an entry listing with body texts and so on of certain entries inside the sidebar. You can show entries of a specific category there, which makes it great for moblogging sidebars, where you can fetch all entries of a "Moblog" category

Have fun and a nice weekend, Garvin