Serendipity Forums

[garvinhicking]

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file <strong>include/functions_comments.inc.php</strong> and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

to

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.

[Anitram]

Can it be that this is the solution of the problem I am struggleling for weeks?

[garvinhicking]

Hi Anitram!

Well, that depends on which problem you are talking about

Regards,
Garvin

[Harald Weingaertner]

Garvin, after upgrading from 1.1.2 to 1.1.3 my statistic plugin does not allow me to click the referrers any longer.

I always have to upgrade this plugin manually and even when i upgrade with Spartacus, this cute feature doesn't appear. I think, that you provide an older version of this plugin with your releases and upgrades.

I've mentioned this also here http://board.s9y.org/viewtopic.php?t=8561

Could you look into that?

Regards, Harald

[garvinhicking]

Hi!

The statistics plugin is not maintained in Spartacus!!

Where are you downloading a newev version? There is no newer version available!?

Regards,
Garvin

[Col. Kurtz]

I installed the latest version 1.1.3 and I got the same little problem I had last time. It's just the very first opening of the plugin menu and later it's gone...

http://board.s9y.org/viewtopic.php?p=57033#57033

What am I doing wrong?

[garvinhicking]

Hi!

The bug is only fixed in 1.2 and not backported to 1.1 versions. 1.1 only contains security bugfixes and other fixes I thought about.

Regards,
Garvin

[Harald Weingaertner]

Hi!

The statistics plugin is not maintained in Spartacus!!

Where are you downloading a newev version? There is no newer version available!?

Well, i think, i took it from this Thread http://board.s9y.org/viewtopic.php?t=8561. I'm not 100% sure, but if you say, that it isn't maintened via Spartacus... I may have downloaded the file from http://files.blase16.de/serendipity_eve ... istics.txt

[garvinhicking]

Hi!

I've now updated the plugin in SVN for the next release.

Regards,
Garvin

[ormus7577]

Using the LITE package for the security 1.1.3 update will be sufficient I guess? The bug is in the core backend, right?

[garvinhicking]

Hi ormus!

That's right.

Regards,
Garvin

[yellowled]

Sorry I didn't find the time to post this earlier, I just got to installing 1.2-beta2 on my local machine for the first time.

I'm not sure whether this is a bug or a feature, but I think authors are by default not allowed to post entries, which I think is new. So any author has to be "unlocked" to be able to post, which I think is very annoying. So, bug or feature?

EDIT: Okay, I just read in the Bugs forum (go figure!) it's a bug, so forget about that one.

Also, I was just thinking about something, and I'm not sure whether we already have this or whether it is doable, I just thought I'd run it by you.

There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take
a specific position if it is installed?

YL

[garvinhicking]

Hi!

There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take a specific position if it is installed?

A plugin can currently take a fixed position at the end or the beginning of the list.

Sadly it's hard to fix a plugin on a position, because in some cases the order that people find works for them does not work for others because of their requirements. Sometimes a guestbook plugin must come before a staticpage, sometimes not - depending on what you need/want for startpages etc.

I'd prefer instead to educate users on how positionion affects plugins.

Regards,
Garvin