A serious security issue has been discovered in our bundled library XML-RPC. This issue allows for possible remote code execution.

We have upgraded the XML-RPC component to the fixed version and released Serendipity 0.8.2. The old SourceForge CVS HEAD branch now contains 0.8.2, and the SVN branches 0.8 and trunk also contain the changes.

The files can be found here:

Every user is urged to upgrade. As a temporary hotfix you can delete your serendipity_xmlrpc.php file so that your blog will not easily allow execution of maliclius XML-RPC method calls.

We are very sorry for this inconvenience and need to point out that many PHP applications using this common XML-RPC PEAR class are affected by this bug. Please check your webspace for any outdated versions of that PEAR class and upgrade other related applications as soon as possible. Also read this advisory.


Version 0.8.2 (June 29th, 2005)

    * fixed remote code execution vulnerability. Thanks to Gulftech
      Research for pointing out that bug and Stefan Esser for helping
      fix it (nohn)

    * Updated Spartacus to most recent version (nohn)

    * fixed serendipity_traversePath() -  PHP5 issue with array_merge()
      Thanks to jdhawk for the fix (flotsam)

    * CSS does no longer emit cache-restricting headers, so that the
      stylesheets can be cached by the browser for followup-requests
      Thanks to Sencer for pointing this out! (garvinhicking)
    * Patch/Bug #1209410 by swiesinger: When using shortcut admin URL,
      use https:// when specified by user

    * Fix deleting categories when having privileges but not being
      administrator (Patch #1205347, many thanks to Penny Leach)

    * Increased level of output message from the Spartacus plugin

    * Patched XML-RPC functions, thanks to Tim Putnam. This should enable
      XML-RPC services to properly fetch existing articles and edit them.

    * Fix Plugin API call performing too many unneeded SQL queries

    * Fix missing authorname when previewing entry. Thanks to winkiller,
      aquatic, thomas, wurstprinz and hansi for fixing this!


Trackback specific URI for this entry


Display comments as (Linear | Threaded)

cottonwood on at :

Is it sufficient to replace that serendipity_xmlrpc.php file with the new one from the 0.8.2 tarball?

Sebastian Nohn on at :

No. It is not. You need to replace bundled-libs/XML/RPC.php and bundled-libs/XML/RPC/Server.php

Mandrake on at :

Is there no other changes on this upgrade???

winkiller on at :

There are several other fixes over the last weeks, you can get detailed info via docs/NEWS.

csloh on at :

FLICKR posting by way of XML_RPC has been affected, any one know how to fix that?

csloh on at :

Solution found for Flickr & Serendipity 8.02. Note to self: don't be too hasty to post anything, there may be an easy answer if I am to look first. :-)

Matt on at :

I have just copied the newer files across and I get:

Unknown column 'a.realname' in 'field list'

and an sql error. I am guessing it hasn't upgraded the old database format, and of course the script is broken. Is there any WORKING documentation on how to perform this db upgrade?

Robin on at :

So what do we need to replace if we want all the fixes, but also want to keep our previous installation - I like my templates, the way my plugins are set up, my file path locations etc. The upgrade document helps not at all and neither does the rest of the documentation. I can't see how I can get around doing a fresh install, and redoing all the changes I did then :(

Matt on at :

Okay so it turns out that to upgrade to v0.8x you need to be running newer than php 4.2. Which I wasn't (debian woody). Anybody having the same problem might want to look at upgrading php first.

This is something that REALLY should be in the upgrade instructions file.

LH on at :

Your templates, plugins, config stays where they are through an upgrade. You don't need a fresh install and re-do all the changes and configurations.

Jon on at :

I cannot seem to find where to get the latest snapshot to upgrade the beta version. The CVS doesn't work at all for some reason. Is there a different location for it? Does it need to be fixed?

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed
Markdown format allowed