Serendipity 0.8.5 released

Thanks to Nenad Jovanovic (a pleasure to have worked with), we were notified of a serious problem with hijacking Serendipity functionality under certain circumstances when users are tricked on foreign malicious websites.

The effects of that issue resulted in the possibility that when people know the URL to your Backend, they were able to change your user password and lock you out of the system. However you were required to do two things for this to work: First you'd need to be logged in to your Serendipity backend via a session or permanent cookie, and second you would need to visit the webpage of a malicious user.

As a follow-up to this problem, it came to our attention that Serendipity (like many other web applications - watch the next releases of your favourite software in the next days) can be subject to XSRF ("Cross Site Request Forgery") attacks. All web applications that depend on session cookies and have their backend URL known to the public can be tricked into those XSRF attacks when not verifying the origin of a submitted HTML form.

Serendipity 0.8.5 addresses this problem by introducing HTML-form tokens. Only if they are set, the administrative tasks requested will be carried out - and foreign websites can not get that token under usual circumstances.

It is strongly suggested to upgrade to Serendipity 0.8.5! The development versions of 0.9 also fixed this bug, please read the separate 0.9-beta1 announcement for more information.

Updating from any Serendipity version is easy: Backup first, then extract the release files over your old installation, make sure the files .htaccess/ are writable, login to Serendipity and be guided through the automatic upgrade process.

Download the release here


Trackback specific URI for this entry


Display comments as (Linear | Threaded)

No comments

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed
Markdown format allowed