Thanks (again!) to Stefan Schurtz for bringing three security issues to our attention, which are fixed with Serendipity 1.7.7:
- An XSS by using a specially crafted username can happen when viewing the "Manage users" screen
- An XSS when creating an entry with specially crafted id/timestamp values
- SQL injection when installing a plugin with a specially crafted name
Now, all these issues can only be exploited in the backend, so it means someone would need to send you a maliciously crafted link which you click on (or your own blog editors, if you have them, want to target you). Since today, people can be easily tricked into "clicking" crafted links (by using URL shorteners like bit.ly), we regard this issue as critical, and you should upgrade as soon as you can. Remember you can always improve the chances of not being affected by XSS attacks like these by logging out of Serendipity when you are no longer working in it; then XSS attacks through those links will not be executed, since you would first need to login to your backend. This also applies to any web application, so make use of this Logout-Button. ;-)
This release also addresses an issue with the nl2br plugin in conjunction with the WYISWYG editor. The plugin will show you some useful information in its configuration screen on how to use it, if you also use WYSIWYG editors or other markup plugins. Also, the templatechooser plugin will now work properly again with some older templates. The PHP < 5.3 fix for the textile plugin not properly working has also been adressed (again).
Upgrading Serendipity is simple as usual: Ideally make a backup first, and then just upload the new release files to your blog.
UPDATE: The release 1.7.6 had a typo in one PHP file, so 1.7.7 has been released immediately after this.
- No Trackbacks