Serendipity 1.7.7 released

Thanks (again!) to Stefan Schurtz for bringing three security issues to our attention, which are fixed with Serendipity 1.7.7:

  • An XSS by using a specially crafted username can happen when viewing the "Manage users" screen
  • An XSS when creating an entry with specially crafted id/timestamp values
  • SQL injection when installing a plugin with a specially crafted name

Now, all these issues can only be exploited in the backend, so it means someone would need to send you a maliciously crafted link which you click on (or your own blog editors, if you have them, want to target you). Since today, people can be easily tricked into "clicking" crafted links (by using URL shorteners like, we regard this issue as critical, and you should upgrade as soon as you can. Remember you can always improve the chances of not being affected by XSS attacks like these by logging out of Serendipity when you are no longer working in it; then XSS attacks through those links will not be executed, since you would first need to login to your backend. This also applies to any web application, so make use of this Logout-Button. ;-)

This release also addresses an issue with the nl2br plugin in conjunction with the WYISWYG editor. The plugin will show you some useful information in its configuration screen on how to use it, if you also use WYSIWYG editors or other markup plugins. Also, the templatechooser plugin will now work properly again with some older templates. The PHP < 5.3 fix for the textile plugin not properly working has also been adressed (again).

Upgrading Serendipity is simple as usual: Ideally make a backup first, and then just upload the new release files to your blog.

UPDATE: The release 1.7.6 had a typo in one PHP file, so 1.7.7 has been released immediately after this.


Trackback specific URI for this entry


Display comments as (Linear | Threaded)

zahid hasan on at :

Wow! amazing blog layout ! How long have you been blogging for? You make blogging look easy..

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed
Markdown format allowed