Serendipity 1.5.3 released, Security Issue with Xinha

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.


Trackback specific URI for this entry


Display comments as (Linear | Threaded)

Berlinaut on at :

Thanks for the fast update! Is it also possible just to upgrade a few files?

public on at :

Thanks. But on the left side of this page version 1.5.1 is still recommendated.

bed on at :

Yeah! Why? how about replacing "php-xinha.php" from the 1.5.3 file, does it solve the issue?

JCG on at :

Thanks a lot for your very fast reaction.

Mandrake on at :

Garvin, does replacing "php-xinha.php" from the 1.5.3 file solves the issue?

sph on at :


i don't know which version of serendipity i use - but i actually don't have the "contrib/"-directory in "htmlarea".

and there's no "php-xinha.php"-file anywhere.

in fact, i searched the whole installation and there is not a single thing called something like "xinha".

yes, i didn't update for... long time. but especially on this php-xinha-topic: should i be worried?


Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed
Markdown format allowed