Important Security Update: Serendipity 1.5.5 released

Serendipity bundles the powerful Xinha WYSIWYG editor to provide its functionality to our users.

Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code.

Since no official patch has been made on the Xinha side, the Serendipity Team has released an updated version where those active Xinha-Plugins are no longer executable.

If you do not wish to apply the patch to the most recent Serendipity version 1.5.5 you can remove those files:

  • htmlarea/contrib/php-xinha.php
  • htmlarea/plugins/ExtendedFileManager/
  • htmlarea/plugins/FormOperations/formmail.php
  • htmlarea/plugins/HtmlTidy/html-tidy-logic.php
  • htmlarea/plugins/ImageManager/
  • htmlarea/plugins/InsertPicture/InsertPicture.php
  • htmlarea/plugins/InsertSnippet/snippets.php
  • htmlarea/plugins/SpellChecker/aspell_setup.php
  • htmlarea/plugins/SpellChecker/spell-check-logic.php
  • htmlarea/plugins/SuperClean/tidy.php

The provided functionality is usually not enabled by default, since Serendipity provides its own media file manager.

Future serendipity releases might re-enable these features, once they are safely patched.

To see if you are infected, please check the directories htmlarea/plugins/ImageManager/demo_images and htmlarea/plugins/ExtendedFileManager/demo_images to see if files have been uploaded there. If so, delete the files and check your webspace for other modified files, as well as change your passwords for FTP and SQL access. Please upgrade as soon as possible.

The release can be found on the Serendipity Download page. All serendipity versions from 1.4 to 1.6 (alpha) are affected. 1.6 alpha users should migrate to a recent SVN head checkout or tomorrow's snapshot.

Thanks a lot to Hauser & Wenz for reporting the issue. Serendipity fully acknowledges responsible full disclosure, non-reported 0-day exploits are helping nobody of true OpenSource spirit.


Trackback-URL für diesen Eintrag


Ansicht der Kommentare: (Linear | Verschachtelt)

Matthew Weigel am um :

To clarify, the files "bikerpeep.jpg," "wesnoth078.jpg," and "linux/linux.gif" in those two directories are provided in the stock download. Their presence should not, I don't think, mean that your s9y blog is infected.

On the other hand, would an infected blog be able to delete incriminating evidence in these directories?

Marco am um :

Thanks for the clarification, I was shocked for a few seconds. ;)

Markus Hansen am um :

I have incoming traffic from searches for "powered by s9y", heading straight over to [path]/htmlarea/plugins/ExtendedFileManager/manager.php - better apply those patches everyone.

Alan Kennington am um :

Yes, I had exactly the same thing. First there was a search for in Netherlands Google from an HTTP client IP address which is apparently in Latvia.

Then they made a jump directly to htmlarea/plugins/ExtendedFileManager/manager.php.

Gangrif am um :

I actually had my system compromised as a result of this exploit. It occurred on 11/24. I tied it together when i found out about this exploit. The system has already been wiped and rebuilt. I have log data if anyone is interested.

F. Leven am um :

My site was hacked and files are uploaded to (jpg/txt/php) :


all index sites are changed and some php lines are inserted. i can mail the changes if someones is interested

macdet am um :

@F. Leven - please send!

I am under work :) seems time to look for an upgrade!

lte am um :

great! Looking forward :)

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt