Announcements - 10 – Serendipity

Serendipity bundles the powerful Xinha WYSIWYG editor to provide its functionality to our users.

Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code.

Since no official patch has been made on the Xinha side, the Serendipity Team has released an updated version where those active Xinha-Plugins are no longer executable.

If you do not wish to apply the patch to the most recent Serendipity version 1.5.5 you can remove those files:

• htmlarea/contrib/php-xinha.php
• htmlarea/plugins/ExtendedFileManager/config.inc.php
• htmlarea/plugins/FormOperations/formmail.php
• htmlarea/plugins/HtmlTidy/html-tidy-logic.php
• htmlarea/plugins/ImageManager/config.inc.php
• htmlarea/plugins/InsertPicture/InsertPicture.php
• htmlarea/plugins/InsertSnippet/snippets.php
• htmlarea/plugins/SpellChecker/aspell_setup.php
• htmlarea/plugins/SpellChecker/spell-check-logic.php
• htmlarea/plugins/SuperClean/tidy.php

The provided functionality is usually not enabled by default, since Serendipity provides its own media file manager.

Future serendipity releases might re-enable these features, once they are safely patched.

To see if you are infected, please check the directories htmlarea/plugins/ImageManager/demo_images and htmlarea/plugins/ExtendedFileManager/demo_images to see if files have been uploaded there. If so, delete the files and check your webspace for other modified files, as well as change your passwords for FTP and SQL access. Please upgrade as soon as possible.

The release can be found on the Serendipity Download page. All serendipity versions from 1.4 to 1.6 (alpha) are affected. 1.6 alpha users should migrate to a recent SVN head checkout or tomorrow's snapshot.

Thanks a lot to Hauser & Wenz for reporting the issue. Serendipity fully acknowledges responsible full disclosure, non-reported 0-day exploits are helping nobody of true OpenSource spirit.

Serendipity 1.5.4 has been released and addresses some minor bugfixes as well as a XSS security issue discovered and reported by High-Tech Bridge. The XSS is only exploitable though, if you are using the "Remember me" feature in the Serendipity backend to login. Thanks to the quick notification by the team we were able to fix the issue within 24 hours, as with all past security issues.

The XSS-issue can easily be patched by only replace the file include/functions_config.inc.php with the new file (link), or by applying this patch.

Other bugfixes that come with the new Serendipity 1.5.4 release are:

• Fix PHP 5.3.2 parse error in a file, thanks to fyremoon
• Fix SQL query statement for deleting a category, which on some DB types (SQlite) might not return "true" and thus not really delete the category.
• Include license output in plugin listing
• Fix escaping when using ImageMagick to create PDF-thumbnail images
• Add new template variable to feed*.tpl files to support new plugins like pubsubhubbub, so that plugins can embed data to the main XML element

The latest release can be found on our SourceForge repository and on the usual place on . To upgrade from any previous Serendipity version, simply extract and upload the new files to your server.

Hey there, we got some of the server hardware for s9y.org and board.s9y.org replaced, so let's hope everything goes a little more smoothly from here on... Cheers!

As we were notified on our forums, the updated PHP 5.3.2 version seems to have changed a behaviour of quoting array variables within strings, which produces a PHP parse error on a serendipity file include/functions_entries.inc.php at line 1433 (in Serendipity 1.5.3).

The fix is actually quite easy, if you replace the code found at line 1433 from this:

serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entries WHERE id=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entrycat WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entryproperties WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix2]}comments WHERE entry_id=$id");

to this:

serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entries WHERE id=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entrycat WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entryproperties WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}comments WHERE entry_id=$id");

If you can't easily spot the difference: It's changing ["dbprefix"] with double quotes to ['dbprefix'] with single quotes. We're sorry for this inconvenience, which is already fixed in our SVN branches and will be part of the next release.

Thanks a lot to fyremoon from the forums, this thread.

The s9y.org server currently is experiencing some issues. Jannis, our master-bithorder is investigating the issue and we hope it will be resolved shortly. The s9y.org server powers the main wiki as well as the forums; this blog here is hosted on a different machine.

Meanwhile: Summer.

Update 2010-07-05: The server was up and running during parts of the weekend, but it seems the situation was not resolved completely. The server is now once again up and running, but the bootup-process seems to be blocking due to some MySQL issue. The hardware does not report any specific failure, so we're a bit clueless as to what is happening, but we currently do not have the time to completely setup a new server. We'll further investigate the issue, and hope that this outage won't repeat itself too soon.

If something fails, the SourceForge.net support options on SourceForge.net/Projecs/php-blog will be there. We'll also try to work out a possibility for a secondary forum installation that people have offered, and see if we can setup a dump of s9y.org on a static install.

Update 2010-07-06: And the server went down again. We cannot seem to find the reason why it hangs. We might need to completely reinstall the machine. We try to make it happen as soon as possible and post updates here.

Update 2010-07-06, #2: Until being able to reinstall the machine, we try to fix the situation by manually booting the machine's services - currently it seems as if the machine "lives" for about 24-30 hours after each reboot.

Update 2010-07-06, #3: I created a temporary support forum on SourceForge: SourceForge Forum for Serendipity.

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.