Serendipity 1.5.3 released, Security Issue with Xinha
Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.
A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.
Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.
Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.
Trackbacks
Trackback-URL für diesen Eintrag
- Dirks Logbuch am : Serendipity 1.5.3 ...
- Nur ein Blog am : Sicherheitsleck in Serendipity - Update auf 1.5.3
Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)
Berlinaut am um :
Thanks for the fast update! Is it also possible just to upgrade a few files?
public am um :
Thanks. But on the left side of this page version 1.5.1 is still recommendated.
Luo Chunhui am um :
Thanks for your update.
JCG am um :
Thanks a lot for your very fast reaction.
Mandrake am um :
Garvin, does replacing "php-xinha.php" from the 1.5.3 file solves the issue?
bed am um :
Yeah! Why? how about replacing "php-xinha.php" from the 1.5.3 file, does it solve the issue?
sph am um :
err...
i don't know which version of serendipity i use - but i actually don't have the "contrib/"-directory in "htmlarea".
and there's no "php-xinha.php"-file anywhere.
in fact, i searched the whole installation and there is not a single thing called something like "xinha".
yes, i didn't update for... long time. but especially on this php-xinha-topic: should i be worried?
greets!