Security – Serendipity

Just a few days after Serendipity Camp and our last patch release we have to release Serendipity 2.3.4, fixing a security flaw (present on Windows installations only and exploitable only for users with upload rights on the Media library).

Unfortunately, it was possible to upload a malicious file "file" (e.g. a PHP script or other executable content) without a file extension and then rename it afterwards to "file.php" on Windows. Thanks to Junyu Zhang for spotting and reporting this!

As we had to do a patch release anyway, we added some other fixes around Media Library file renaming and improved the display of installable plugins by adding the plugin source (Spartacus, bundled with Serendipity core or local).

Please see the release statement on GitHub for more (technical) details.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

Please do install the update on Windows systems running Serendipity due to the security fix.

Serendipity 2.3.2 is a bugfix and security fix release for our current stable branch.

Two security related bugs were fixed, the pagination feature of templates like Timeline now really works, autologin now works again on MySQL, too, all thumbnails are rotated with the original image, the WYSIWYG editor won't strip some needed elements, and auto-generated mails will now look right on all MTAs.

Please see the release statement on GitHub for more details.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

Please do install the update due to the security fixes we have included.

This bugfix release Serendipity 2.1.5 contains fixes for security issues and some bug fixes backported from our recent 2.3-beta1 release:

• Fix XSS in Editor Preview by interpreted EXIF tags (thanks to Hanno Boeck!).
• Fix XSS in Media Library by interpreted EXIF tags (thanks to Hanno Boeck!).
• Fix mispositioned button in media db directory list.
• Change default for comment subscription to full text.
• Display errors if comment coulnd't be deleted.
• Make it easier to drag plugins to other column.
• Add fallback for broken JS in configuration screens.

You can download the release file and unzip it to your installation as usual, or update from within Serendipity using the Serendipity Autoupdate Plugin (serendipity_event_autoupdate).

Two new releases have been issued today. 2.1.4 is a security fix release which addresses these issues:

• Security: Fix XSS for pagination, when multi-category selection is used. Thanks to Brian Carpenter (geeknik) and Hanno Boeck!
• Minor code fixes (proper PHP escaping for 'orderkey' SQL statement)
• Skeleton, Timeline and Clean Blog templates: Add theme option to disable google webfonts
• Link to https s9y.org pages

The 2.2.1-alpha1 release addresses a few larger changes in Serendipity. These are the key points of the release:

• PHP 7.2 support (including a new autologin token system and bcrypt password hashing)
• Add function to add multiple images to an enty at once, creating a gallery
• Added a maintenance mode option
• Upgrade Smarty to 3.1.32
• Bootstrap4 adaptations
• Fixes for plugin drag'n'drop
• Improvements to the p-mode of nl2br plugin
• Ability to create responsive image thumbnails
• Improvements to local caching
• Rework of moving media items (work in progress)

We would love to get feedback from our users. Be sure to try out the new release only on test/development blogs yet. If you absolutely want to test it on production blogs, make sure to have a backup available.

Both releases can be downloaded from our GitHub release page.

Together with the security-release of Serendipity 2.1.3, a possible SQL injection has been reported in the serendipity_event_freetag plugin, reported by Brian Carpenter (geeknik) and Hanno Böck. Many thanks for reporting this.

The issue has been fixed in version 3.69 of the plugin which you can install through Spartacus (or manually).

This release addresses several security issues that have been reported to us by Hanno Boeck, Brian Carpenter, oreamnos and Julio Cesar. Many thanks for this!

More specifically:

• Ensure URL parameter casting for RSS and blog entry limits to prevent possible SQL injection inside the LIMIT statement part Prevent XSS in the "Edit entries" panel
• Prevent sending comment notifications to more than one email address
• Disable exit.php-Tracking for open URL redirection, unless the trackexits plugin is specifically configured to do so

The release also addresses a new feature for a "legal" plugin property bag attribute (usable for GDPR/DSGVO plugin information) and by default disables subToMe service to prevent GDPR issues.

Simply download the release and update your blog.