New Serendipity homepage online

In the past few months we have also worked a lot on rebuilding the presentation page of www.s9y.org. We have moved our infrastructure for this over to Github Pages in the s9y.github.io repository, and reworked a lot of our documentation to streamline and better structurize.

Additionally, this documentation repository is now open for any kind of pull requests and contributions, and will be easier to maintain. Our devs onli and yellowled worked hard on bringing the visual side of things up to par, as well as MarioH for moving a lot of text files, and we hope you like our efforts!

Serendipity 2.0.4 and 2.1-beta2 released

Serendipity 2.0.4 is a maintenance security release which addresses these issues:

  • [Security] Prevent moving files by using their directory name.
    [Security] Possible SQL injection for entry category assignment
    [Security] Possible SQL injection for removing&adding a plugin

    All issues require a valid backend login.
    Thanks to Hendrik Buchwald for finding this via their
    RIPS source code analyzer (www.ripstech.com)
  • [Security] Add new configuration option to enable fetching local files for the media uploader. By default this is now disabled to prevent Server Side Request Forgery (SSRF). Thanks to Xu Yue for pointing this out!

Alongside a new Serendipity 2.1-beta2 version has been released, with the same fixes plus some more progress on the road to the 2.1 release. Features like these have been added:

  • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
  • Added new Theme "Skeleton" (responsive, mobile first)
  • Improved preview iframe handling
  • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors

Simply upgrade by unpacking and uploading the release file and confirming our web-based upgrader.

Serendipity 2.1-beta1 released

The first beta of Serendpity 2.1 has been released and we are happy for people to test our latest changes.

The main focus of Serendipity 2.1 are rewrites in some older legacy parts of the core (URL routing, template fallback chain, experimental internal caching) as well as PHP7 compatibility.

Other notable changes include:

  • New bundled responsive themes "Timeline" (Demo) and "Clean-Blog" (Demo)
  • Improved usability of plugin upgrades by combining sidebar and event plugins and upgrading multiple plugins at once
  • Permission checks for the dashboard output and comments
  • Usability improvements to the media library, bulk moving support
  • The full list of changes can be found as usual in our docs/NEWS file.

We are happy to hear your feedback about this beta release on our forums!

Thanks on behalf of the team. And also thanks for our hard-working developers who contributed code to this Serendipity beta version, especially aristophian, onli, yellowled (in alphabetical order *g*),

Garvin

A Serendipitous Birthday Present

On March 29th in 2003, Jannis Hermanns officially renamed his jBlog to Serendipity. Now, 13 years later, we are still actively working on improving what was meant to be a simple and expansive blogging infrastructure.

In April, we will have our second user/developer meetup in Germany (Essen) and hopefully decide on a couple of remaining issues for releasing version 2.1 of Serendipity and launching the currently "work in progress" version of docs.s9y.org. This new page will better present Serendipity and offer new and more streamlined documentation.

A few years ago, a Serendipity Book was published in german language by Garvin Hicking, which was later open-sourced and put into our documentation repository. Out of this, our fellow core developer Ian (Timbalu) has put an awesome amount of time and effort into updating this german documentation for recent Serendipity versions.

You can find this on docs.s9y.org/Book/ and you will see that it is still marked as "Draft" - which means, we would appreciate your feedback and input. We do hope to get this book translated to english at some point, any help on this is appreciated.

On behalf of the team, many thanks to Ian (Timbalu) and we're excited to keep making Serendipity be a great blogging tool for your needs.

Serendipity 2.0.3 released

Happy new Year! Serendipity 2.0.3 has just been released to address a XSS security issue found and reported by Onur Yilmaz and Robert Abela from Netsparker.com. Thanks a lot for contacting us and working with us to address the issue.

The issue only affects logged-in authors, where HTML can be inserted into the comment editing form when they click specially crafted links. Due to the required authentification we consider the issue of medium impact, but suggest everyone to perform the update.

We are currently still working on an improved s9y.org presentation page and its documentation, as well as on the 2.1 branch of Serendipity - check out our current 2.1 changelog, if you are interested and willing to help testing!

Serendipity 2.0.2 Security Fix Release

Thanks to the report of Tim Coen (of Curesec GmbH) we were able to adress three security issues in the Serendipity Code.

The first issue was found because authenticed authors are allowed to upload files with extension .pht(ml), that can be executed for PHP code on Apache webserver configurations that use this suffix. If your blog allows upload access for untrusted authors, you should regard this issue as a critical risk.

The second issue is a missing escaping of comment approval tokens, when enabled in your blog which allows for possible SQL injection for data leak and DOS, and also an authenticated user must be tricked into clicking a specifically crafted URL to exploit this (medium risk).

The third issue is missing escaping of a commenting user's name by a javascript of the 2k11 theme (used by default) which is triggered when a user clicks on the "Reply" link (medium risk).

We have prepared two new releases for each of our currently maintained Serendipity version branches and suggest to update your Serendipity version:

  • 2.0.2 is the recommended release
  • 1.7.9 is the hotfix release for everyone not yet running Serendipity 2.x (you should!)

Check out the download locations for the release files.

Of course, everyone who is using our Github repository to checkout the Serendipity files will get the patches by pulling our 2.0 branch or the master (2.1.x) for our current development version.

Updating Serendipity is painless; upload/checkout the release files and go to the Administration suite where you can confirm the upgrade. Also, by using the auto-update plugin you can install the blog from within your administration suite once we are able to upload the release to our SourceForge repository (which is down right now).

We are happy to be able to coordinate this release with Tim and provide improved security for our users.