Important Security Update: Serendipity 1.5.5 released

Serendipity bundles the powerful Xinha WYSIWYG editor to provide its functionality to our users.

Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code.

Since no official patch has been made on the Xinha side, the Serendipity Team has released an updated version where those active Xinha-Plugins are no longer executable.

If you do not wish to apply the patch to the most recent Serendipity version 1.5.5 you can remove those files:

  • htmlarea/contrib/php-xinha.php
  • htmlarea/plugins/ExtendedFileManager/
  • htmlarea/plugins/FormOperations/formmail.php
  • htmlarea/plugins/HtmlTidy/html-tidy-logic.php
  • htmlarea/plugins/ImageManager/
  • htmlarea/plugins/InsertPicture/InsertPicture.php
  • htmlarea/plugins/InsertSnippet/snippets.php
  • htmlarea/plugins/SpellChecker/aspell_setup.php
  • htmlarea/plugins/SpellChecker/spell-check-logic.php
  • htmlarea/plugins/SuperClean/tidy.php

The provided functionality is usually not enabled by default, since Serendipity provides its own media file manager.

Future serendipity releases might re-enable these features, once they are safely patched.

To see if you are infected, please check the directories htmlarea/plugins/ImageManager/demo_images and htmlarea/plugins/ExtendedFileManager/demo_images to see if files have been uploaded there. If so, delete the files and check your webspace for other modified files, as well as change your passwords for FTP and SQL access. Please upgrade as soon as possible.

The release can be found on the Serendipity Download page. All serendipity versions from 1.4 to 1.6 (alpha) are affected. 1.6 alpha users should migrate to a recent SVN head checkout or tomorrow's snapshot.

Thanks a lot to Hauser & Wenz for reporting the issue. Serendipity fully acknowledges responsible full disclosure, non-reported 0-day exploits are helping nobody of true OpenSource spirit.


Trackback specific URI for this entry


Display comments as (Linear | Threaded)

Matthew Weigel on at :

To clarify, the files "bikerpeep.jpg," "wesnoth078.jpg," and "linux/linux.gif" in those two directories are provided in the stock download. Their presence should not, I don't think, mean that your s9y blog is infected.

On the other hand, would an infected blog be able to delete incriminating evidence in these directories?

Marco on at :

Thanks for the clarification, I was shocked for a few seconds. ;)

Markus Hansen on at :

I have incoming traffic from searches for "powered by s9y", heading straight over to [path]/htmlarea/plugins/ExtendedFileManager/manager.php - better apply those patches everyone.

Alan Kennington on at :

Yes, I had exactly the same thing. First there was a search for in Netherlands Google from an HTTP client IP address which is apparently in Latvia.

Then they made a jump directly to htmlarea/plugins/ExtendedFileManager/manager.php.

Gangrif on at :

I actually had my system compromised as a result of this exploit. It occurred on 11/24. I tied it together when i found out about this exploit. The system has already been wiped and rebuilt. I have log data if anyone is interested.

F. Leven on at :

My site was hacked and files are uploaded to (jpg/txt/php) :


all index sites are changed and some php lines are inserted. i can mail the changes if someones is interested

macdet on at :

@F. Leven - please send!

I am under work :) seems time to look for an upgrade!

lte on at :

great! Looking forward :)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed