Serendipity 1.7.7 released

Thanks (again!) to Stefan Schurtz for bringing three security issues to our attention, which are fixed with Serendipity 1.7.7:

  • An XSS by using a specially crafted username can happen when viewing the "Manage users" screen
  • An XSS when creating an entry with specially crafted id/timestamp values
  • SQL injection when installing a plugin with a specially crafted name

Now, all these issues can only be exploited in the backend, so it means someone would need to send you a maliciously crafted link which you click on (or your own blog editors, if you have them, want to target you). Since today, people can be easily tricked into "clicking" crafted links (by using URL shorteners like, we regard this issue as critical, and you should upgrade as soon as you can. Remember you can always improve the chances of not being affected by XSS attacks like these by logging out of Serendipity when you are no longer working in it; then XSS attacks through those links will not be executed, since you would first need to login to your backend. This also applies to any web application, so make use of this Logout-Button. ;-)

This release also addresses an issue with the nl2br plugin in conjunction with the WYISWYG editor. The plugin will show you some useful information in its configuration screen on how to use it, if you also use WYSIWYG editors or other markup plugins. Also, the templatechooser plugin will now work properly again with some older templates. The PHP < 5.3 fix for the textile plugin not properly working has also been adressed (again).

Upgrading Serendipity is simple as usual: Ideally make a backup first, and then just upload the new release files to your blog.

UPDATE: The release 1.7.6 had a typo in one PHP file, so 1.7.7 has been released immediately after this.


Trackback-URL für diesen Eintrag


Ansicht der Kommentare: (Linear | Verschachtelt)

zahid hasan am um :

Wow! amazing blog layout ! How long have you been blogging for? You make blogging look easy..

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt