As you might have heard already, the XML-RPC Package by PEAR has received a major update that deals with another possible security issues in the execution of remote procedure calls.
Serendipity bundles this XML-RPC class to allow posting entries via GUI editors like ecto, marsEdit and so on. Because of the reasons mentioned in a seperate posting, Serendipity no longer bundles this library and instead offers this functionality as a plugin.
Thus, a new release with the unbundled XML-RPC libraries will be made. On top of that, Serendipity has now been changed to be (optionally) able to use a local server installation of the PEAR repository. This way, if you want to maintain PEAR packages (plus Smarty and Onyx) independently of Serendipity, and without needing to upgrade packages twice, you can now use Serendipity in that unbundled environment. You can then basically delete the whole bundled-libs directory, if you've made sure that PEAR/Smarty/Onyx is installed in a directory that is available to all applications (something like /usr/local/lib).
You will then also have to set a variable $serendipity['use_PEAR'] = true; in your serendipity_config_local.inc.php or serendipity_config.inc.php file.
The XMLRPC posting plugin (link) has been upgraded to use PEAR:XMLRPC 1.4.0.
We now need to perform some more testing and QA if all of our patches work smoothly together, which is the reason why a 0.8.4 release has not yet been made. There currently is no known exploit to the inherent security issues of the PEAR-XMLRPC package that is bundled with Serendipity 0.8.3.
The easiest way for you to stay secure is to delete your serendipity_xmlrpc.php file until 0.8.4 is released. If you delete that file, you also do not need to upgrade to 0.8.4.
If you require the XML-RPC posting functionality, you can easily upgrade by doing those steps:
- Fetch the file serendipity_xmlrpc.php from our current sourcecode, or if you are running from SVN upgrade your 0.8 branch checkout. Save the file in your Serendipity directory.
- Download and install the plugin "Post via XML-RPC". Either fetch it via SF.Net CVS (use a CVS utility to checkout all files) or install the plugin via Spartacus. Make sure you are downloading version 1.1 of the plugin with all its files -- as SourceForge lags about 24 hours, and the patch has just been committed, it might take one more day until the version is available. A zip file of the plugin can be found here
- Now you can continue to use your XML-RPC posting utility, the API-endpoint URL has not changed
Stay tuned for an update on this issue. Thanks to Stefan Esser of the Hardened PHP project, who tried to give a helping hand with the latest XML-RPC issues - this is much appreciated!
Serendipity 0.8.4 will be announced here when our tests are finished. Until then, removing your serendipity_xmlrpc.php file is the recommended way to deal with the issue. People using trunk checkouts or nightlies after 2005-08-10 are not affected by this issue, as it has already been fixed there.
- BSDUnix on : PEAR XML_RPC Remote PHP Code Injection Vulnerability
- Captain's blog on : Neue S9Y-Version
- s9y::blog on : Serendipity 0.8.4 released