Serendipity – The official Serendipity blog

This week, the SourceForge.Net servers have been attacked. Since the Serendipity project hosts files and our plugin's CVS on SourceForge's provided servers, this also affects our maintaineance and distribution of plugins through Spartacus.

For people having problems, you can manually download plugins through spartacus.s9y.org. You should be able to choose netmirror.org as the spartacus mirror as well.

Normal services should be restored in a few days. For the longer run, our team might move plugin repositories from CVS to SVN or even Git, but changing this will take some time (and discussion).

Onli has contributed a new plugin to spartacus, called serendipity_event_autoupdate. It is currently very much in experimental state and is meant to aid in the process of upgrading Serendipity (which already is quite easy, but automatic might even be better, right?).

If you are interested in this feature, now is the time to help develop it! Please give Feedback to online (german) or directly on the corresponding forum thread.

Serendipity bundles the powerful Xinha WYSIWYG editor to provide its functionality to our users.

Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code.

Since no official patch has been made on the Xinha side, the Serendipity Team has released an updated version where those active Xinha-Plugins are no longer executable.

If you do not wish to apply the patch to the most recent Serendipity version 1.5.5 you can remove those files:

• htmlarea/contrib/php-xinha.php
• htmlarea/plugins/ExtendedFileManager/config.inc.php
• htmlarea/plugins/FormOperations/formmail.php
• htmlarea/plugins/HtmlTidy/html-tidy-logic.php
• htmlarea/plugins/ImageManager/config.inc.php
• htmlarea/plugins/InsertPicture/InsertPicture.php
• htmlarea/plugins/InsertSnippet/snippets.php
• htmlarea/plugins/SpellChecker/aspell_setup.php
• htmlarea/plugins/SpellChecker/spell-check-logic.php
• htmlarea/plugins/SuperClean/tidy.php

The provided functionality is usually not enabled by default, since Serendipity provides its own media file manager.

Future serendipity releases might re-enable these features, once they are safely patched.

To see if you are infected, please check the directories htmlarea/plugins/ImageManager/demo_images and htmlarea/plugins/ExtendedFileManager/demo_images to see if files have been uploaded there. If so, delete the files and check your webspace for other modified files, as well as change your passwords for FTP and SQL access. Please upgrade as soon as possible.

The release can be found on the Serendipity Download page. All serendipity versions from 1.4 to 1.6 (alpha) are affected. 1.6 alpha users should migrate to a recent SVN head checkout or tomorrow's snapshot.

Thanks a lot to Hauser & Wenz for reporting the issue. Serendipity fully acknowledges responsible full disclosure, non-reported 0-day exploits are helping nobody of true OpenSource spirit.

Serendipity 1.5.4 has been released and addresses some minor bugfixes as well as a XSS security issue discovered and reported by High-Tech Bridge. The XSS is only exploitable though, if you are using the "Remember me" feature in the Serendipity backend to login. Thanks to the quick notification by the team we were able to fix the issue within 24 hours, as with all past security issues.

The XSS-issue can easily be patched by only replace the file include/functions_config.inc.php with the new file (link), or by applying this patch.

Other bugfixes that come with the new Serendipity 1.5.4 release are:

• Fix PHP 5.3.2 parse error in a file, thanks to fyremoon
• Fix SQL query statement for deleting a category, which on some DB types (SQlite) might not return "true" and thus not really delete the category.
• Include license output in plugin listing
• Fix escaping when using ImageMagick to create PDF-thumbnail images
• Add new template variable to feed*.tpl files to support new plugins like pubsubhubbub, so that plugins can embed data to the main XML element

The latest release can be found on our SourceForge repository and on the usual place on . To upgrade from any previous Serendipity version, simply extract and upload the new files to your server.

Hey there, we got some of the server hardware for s9y.org and board.s9y.org replaced, so let's hope everything goes a little more smoothly from here on... Cheers!

On of the servers running s9y.org/board.s9y.org has suffered from a hardware failure, unfortunately. It will be replaced in the next week. It's gonna be a bumpy ride until then, with a couple of downtimes. I'm working on it. Enjoy the weekend, and if it's sunny, go out :)

Goodbye,
apologetic Jannis.