Serendipity 1.5.3 released, Security Issue with Xinha

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.


Trackback-URL für diesen Eintrag


Ansicht der Kommentare: (Linear | Verschachtelt)

Berlinaut am um :

Thanks for the fast update! Is it also possible just to upgrade a few files?

public am um :

Thanks. But on the left side of this page version 1.5.1 is still recommendated.

bed am um :

Yeah! Why? how about replacing "php-xinha.php" from the 1.5.3 file, does it solve the issue?

JCG am um :

Thanks a lot for your very fast reaction.

Mandrake am um :

Garvin, does replacing "php-xinha.php" from the 1.5.3 file solves the issue?

sph am um :


i don't know which version of serendipity i use - but i actually don't have the "contrib/"-directory in "htmlarea".

and there's no "php-xinha.php"-file anywhere.

in fact, i searched the whole installation and there is not a single thing called something like "xinha".

yes, i didn't update for... long time. but especially on this php-xinha-topic: should i be worried?


Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt