Important Security Update: Serendipity 1.5.5 released

Serendipity bundles the powerful Xinha WYSIWYG editor to provide its functionality to our users.

Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code.

Since no official patch has been made on the Xinha side, the Serendipity Team has released an updated version where those active Xinha-Plugins are no longer executable.

If you do not wish to apply the patch to the most recent Serendipity version 1.5.5 you can remove those files:

  • htmlarea/contrib/php-xinha.php
  • htmlarea/plugins/ExtendedFileManager/config.inc.php
  • htmlarea/plugins/FormOperations/formmail.php
  • htmlarea/plugins/HtmlTidy/html-tidy-logic.php
  • htmlarea/plugins/ImageManager/config.inc.php
  • htmlarea/plugins/InsertPicture/InsertPicture.php
  • htmlarea/plugins/InsertSnippet/snippets.php
  • htmlarea/plugins/SpellChecker/aspell_setup.php
  • htmlarea/plugins/SpellChecker/spell-check-logic.php
  • htmlarea/plugins/SuperClean/tidy.php

The provided functionality is usually not enabled by default, since Serendipity provides its own media file manager.

Future serendipity releases might re-enable these features, once they are safely patched.

To see if you are infected, please check the directories htmlarea/plugins/ImageManager/demo_images and htmlarea/plugins/ExtendedFileManager/demo_images to see if files have been uploaded there. If so, delete the files and check your webspace for other modified files, as well as change your passwords for FTP and SQL access. Please upgrade as soon as possible.

The release can be found on the Serendipity Download page. All serendipity versions from 1.4 to 1.6 (alpha) are affected. 1.6 alpha users should migrate to a recent SVN head checkout or tomorrow's snapshot.

Thanks a lot to Hauser & Wenz for reporting the issue. Serendipity fully acknowledges responsible full disclosure, non-reported 0-day exploits are helping nobody of true OpenSource spirit.

Serendipity 1.5.4 released

Serendipity 1.5.4 has been released and addresses some minor bugfixes as well as a XSS security issue discovered and reported by High-Tech Bridge. The XSS is only exploitable though, if you are using the "Remember me" feature in the Serendipity backend to login. Thanks to the quick notification by the team we were able to fix the issue within 24 hours, as with all past security issues.

The XSS-issue can easily be patched by only replace the file include/functions_config.inc.php with the new file (link), or by applying this patch.

Other bugfixes that come with the new Serendipity 1.5.4 release are:

  • Fix PHP 5.3.2 parse error in a file, thanks to fyremoon
  • Fix SQL query statement for deleting a category, which on some DB types (SQlite) might not return "true" and thus not really delete the category.
  • Include license output in plugin listing
  • Fix escaping when using ImageMagick to create PDF-thumbnail images
  • Add new template variable to feed*.tpl files to support new plugins like pubsubhubbub, so that plugins can embed data to the main XML element

The latest release can be found on our SourceForge repository and on the usual place on . To upgrade from any previous Serendipity version, simply extract and upload the new files to your server.

Serendipity 1.5.3 released, Security Issue with Xinha

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.

Security update for Freetag Plugin

Thanks to Niels Provos we have been informed of a security issue in the Serendipity Freetag plugin (serendipity_event_freetag). Versions up to 3.08 contained a bug that was not properly escaping a GET variable used in an SQL statement, leading to a possible SQL injection attack.

The impact of this is considered to be low, as the query used is only for displaying Meta keywords inside a blog entry, and usual mysql-Client libraries to not allow to execute multiple stacked SQL queries to drop tables etc.

Nevertheless, you should upgrade this plugin version. It is available on Spartacus, or for manual download.

Serendipity Snapshot: New login hashing

Since quite some time, Serendipity uses old-fashioned md5 hashes to secure your passwords for logins to the backend.

Because mechanisms to crack md5 hashes with rainbow tables or even "dictionary hash"-lookups are getting more and more popular, we have decided to finally take the step to raise the serendipity hashing mechanism to something salted, and more secure (SHA1). Even though md5 hashes are still reasonably(!) safe when you use long, randomized passwords, the old-style hashing is a one-way route to hell.

Serendipity has always been had high tributes to backwards compatibility and ease-of-use and ease-of-upgrading, we have decided to take the "soft" upgrade approach. That means, new Serendipity versions will accept your old MD5 login ONCE, and then will use your user-specified password to create the safer hash and store that to the database.

This will help in hypothetical attack situations, where someone might have gotten hand on your hash values stored inside the database, because he will no longer be able to reverse-engineer your original password.

We could need help from any developer or betatester trying out the new functionality. Upgrading to the latest snapshot (get it from the s9y nightly downloads) with Serendipity 1.5-alpha2 will deploy the necessary database upgrades. Note that the one-time MD5-login is only possible in the first 6 months after you performed the installation of this serendipity version (through a saved timestamp in the database), and after that timespan, you can no longer login with the old password and must reset your password through the Administrator (or manual means, if you are the administrator).

Once you perform the update (do not try this on production blogs currently), everything should continue as usual. If it does not, please report your exact problems here or in the Forums. It is suggested that once you have the new serendipity version you change your password, so that nobody that might have already gotten your old md5 hash can use the reverse-engineered password to login again with the new hash created from the same original password.

Feedback is appreciated. The current mechanism is subject to change and currently more a proof-of-concept - feedback will most definitely lead to improvement. :-)

Serendipity 1.3.1 released

Serendipity 1.3.1 has been released. This is a bugfix and security related release, basically adressing a potential XSS issue within the Top Referrers plugin as well as hypothetical XSS issues with the installer.

This release also adresses some basic PostgreSQL8 related problems, because implicit type casts have been removed from this version, causing breakage with several Serendipity core features. The fix for this is only partial and will still happen in (less common) functions of Serendipity. There is no ultimate solution to this because implicit type casts are required for certain entryproperty operations. Maybe the PostgreSQL8 team will think about if implicit type casts are not also quite helpful. ;-)

The only new feature addition is the exposition of a new smarty {serendipity_getImageSize} function.

This upgrade is recommended for users that use the Top Referrers plugin and new installations of Serendipity. Many thanks to Hanno Böck, once again, for reporting (and fixing) the two XSS issues (CVE-2008-1385 and CVE-2008-1386)!

You can find the new release on the s9y.org download page. Upgrade by simply uploading the deflated archive files to your webspace.