Thanks to the report of Tim Coen (of Curesec GmbH) we were able to adress three security issues in the Serendipity Code.
The first issue was found because authenticed authors are allowed to upload files with extension .pht(ml), that can be executed for PHP code on Apache webserver configurations that use this suffix. If your blog allows upload access for untrusted authors, you should regard this issue as a critical risk.
The second issue is a missing escaping of comment approval tokens, when enabled in your blog which allows for possible SQL injection for data leak and DOS, and also an authenticated user must be tricked into clicking a specifically crafted URL to exploit this (medium risk).
We have prepared two new releases for each of our currently maintained Serendipity version branches and suggest to update your Serendipity version:
- 2.0.2 is the recommended release
- 1.7.9 is the hotfix release for everyone not yet running Serendipity 2.x (you should!)
Check out the download locations for the release files.
Of course, everyone who is using our Github repository to checkout the Serendipity files will get the patches by pulling our 2.0 branch or the master (2.1.x) for our current development version.
Updating Serendipity is painless; upload/checkout the release files and go to the Administration suite where you can confirm the upgrade. Also, by using the auto-update plugin you can install the blog from within your administration suite once we are able to upload the release to our SourceForge repository (which is down right now).
We are happy to be able to coordinate this release with Tim and provide improved security for our users.