Security - 3 – Serendipity

A possible XSS attack vector was found and reported by Steffen Rösemann (many thanks!), which would not properly escape blog comments displayed in the admin start page. The 2.0-rc2 addresses this issue. We are thankful to be able to fix this issue in our road to the 2.0 final release.

The patch is quite easy, so if you do not want to upload the whole release package, you can manually apply this patch to templates/2k11/admin/overview.inc.tpl.

Another issue that Steffen addresses in his advisory is that by default editors are allowed to post HTML to blog entries. This is a choice we made by default, to trust in the actual blog editors. If this is not the case in your installation, you should install the serendipity_event_xsstrust plugin, which specifically allows you to block HTML code for entries made by blog editors.

The new release can be found as usual on our download page.

An issue has been reported to the CMS/Blog systems Drupal and Wordpress which allows for a Denial of Service (DOS) through invalid XML injection to the XML-RPC service.

Serendipity has uncoupled the XML-RPC possibilities into an external plugin a long time ago, so an update of the core Serendipity version is luckily not available. Only users who have installed serendipity_event_xmlrpc (through Spartacus, for example) are are actually also affected by this issue, since it uses default PHP XML parsing facilities.

We have applied the same patch to the parsing routines to detect this invalid XML (see Drupal commit) to version 1.53 of the mentioned plugin. Users who have enabled this plugins should either update or remove this plugin to prevent possible DOS attacks to their servers. This version will be available in Spartacus within 24 hours, or can be downloaded manually through github: Source Link.

If the update generates problems with your valid XML-RPC calls, please report them either on our forums or in the Serendipity issue tracker on GitHub. Thanks a lot also to Ian for bringing this issue to our attention, so that we were able to provide a quick fix as well.

Thanks (again!) to Stefan Schurtz for bringing three security issues to our attention, which are fixed with Serendipity 1.7.7:

• An XSS by using a specially crafted username can happen when viewing the "Manage users" screen
• An XSS when creating an entry with specially crafted id/timestamp values
• SQL injection when installing a plugin with a specially crafted name

Now, all these issues can only be exploited in the backend, so it means someone would need to send you a maliciously crafted link which you click on (or your own blog editors, if you have them, want to target you). Since today, people can be easily tricked into "clicking" crafted links (by using URL shorteners like bit.ly), we regard this issue as critical, and you should upgrade as soon as you can. Remember you can always improve the chances of not being affected by XSS attacks like these by logging out of Serendipity when you are no longer working in it; then XSS attacks through those links will not be executed, since you would first need to login to your backend. This also applies to any web application, so make use of this Logout-Button. ;-)

This release also addresses an issue with the nl2br plugin in conjunction with the WYISWYG editor. The plugin will show you some useful information in its configuration screen on how to use it, if you also use WYSIWYG editors or other markup plugins. Also, the templatechooser plugin will now work properly again with some older templates. The PHP < 5.3 fix for the textile plugin not properly working has also been adressed (again).

Upgrading Serendipity is simple as usual: Ideally make a backup first, and then just upload the new release files to your blog.

UPDATE: The release 1.7.6 had a typo in one PHP file, so 1.7.7 has been released immediately after this.

Serendipity 1.7.3 has just been released. This release only addresses a bugfix for one functional issue (trackbacks to SSL-servers) and a security issue in the bundled htmlarea spellchecker module (see http://osvdb.org/87395). Thanks to Henri Salo for pointing out this issue.

To fix the security issue on older installation, you can also simply remove the file htmlarea/plugins/SpellChecker/spell-check-savedicts.php from your installation, it is not enabled and used by Serendipity.

UPDATED: 2012-05-22 12:00 to clarify impact.

Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that.

You can either download the full 1.6.2 release, or apply this simple fix to the file include/functions_trackbacks.inc.php: diff on github.

The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code. Thanks to Pawel Golen it was made clear to us that this issue can in fact be used to remotely access the database through blind sql injection attacks (this method however is really slow and creates a lot of traffic, since only using 0/1 as a result of the exploit will mean a lot of queries to deduce the content). Thus you should definitely upgrade your installation.

Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible.

Serendipity 1.6.1 has just been released. As usual you can simply download from s9y.org, extract the archive, upload it to your webspace and accept the upgrader when visiting your blog.

This release mainly addresses two security issues found by Stefan Schurtz (thanks a lot, again!). One is a XSS issue in the media database panel, the other an SQL injection in the media database section. Both issues can only be exploited if you are logged in to your blog and you click a specially crafted link. The SQL injection cannot be used to extract sensitive information from the database or delete data.

Either way you are urged to upgrade your Blog to the latest version. Development versions of 2.0 and 1.7 on github have these bugs fixed as well.

Other bugfixes in this version include:

• Updated spamblock plugin for better wordfiltering on specific scenarios
• Fixed draft/future entries preview links in backend
• Fixed an issue where template-specific configuration options were not overwritten by the new global ones

You might also want to check out our quite stable 1.7 development version which uses Smarty3, or even our 2.0 development version which contains major rewrites so that Smarty is used in the backend!