FAQ
Search
Members
Register
User Control Panel
LoginSerendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.
A security issue has been discovered by Stefan Esser (http://www.sektioneins.com/index/index.html) during the course of the Month of PHP Security (http://www.php-security.org/). This issue was found in the WYSIWYG-Library Xinha (http://trac.xinha.org/) (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.
Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.
Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.
Handbuch für Serendipity bestellenDas offizielle, umfassende Serendipity-Handbuch für Einsteiger und Profis ist nun im Handel und kann online bei Amazon oder OpenSourcePress, oder auch bei jedem Buchhändler, bestellt werden! |
Forum-InformationBefore posting about errors, make sure that the answer cannot already be found in our FAQ or by searching this forum!Posting is restricted to registered users (registering is free and simple!) due to recent spam attacks. When having trouble with this board, contact garvin(-at)s9y(-dot)org. |
Board index ‹ Announcements ‹ Important: Serendipity 1.5.3 release, Security issue
1 post
• Page 1 of 1
-
garvinhicking - Core Developer
- Posts: 26735
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
Important: Serendipity 1.5.3 release, Security issue
by garvinhicking » Mon May 10, 2010 1:55 pm
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
1 post
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest