Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit
Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.
Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.
It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.
For those people that do not want to upgrade to a whole new version, you can also simply patch the file <strong>include/functions_comments.inc.php</strong> and replace the single occurence of:
$type = $serendipity['GET']['commentMode'];
to
$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);
We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.
Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.
It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.
For those people that do not want to upgrade to a whole new version, you can also simply patch the file <strong>include/functions_comments.inc.php</strong> and replace the single occurence of:
$type = $serendipity['GET']['commentMode'];
to
$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);
We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.
Last edited by garvinhicking on Sun Aug 26, 2007 6:30 pm, edited 1 time in total.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Can it be that this is the solution of the problem I am struggleling for weeks?
Mit den besten Grüßen aus Absurdistan!
Im "Entwicklungsstadium":
http://www.patente-kunst.de
Frei von jeglichen Konservierungsstoffen:
http://www.martina-kausch.de
Im "Entwicklungsstadium":
http://www.patente-kunst.de
Frei von jeglichen Konservierungsstoffen:
http://www.martina-kausch.de
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi Anitram!
Well, that depends on which problem you are talking about
Regards,
Garvin
Well, that depends on which problem you are talking about
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Regular
- Posts: 474
- Joined: Mon Mar 27, 2006 12:32 am
Garvin, after upgrading from 1.1.2 to 1.1.3 my statistic plugin does not allow me to click the referrers any longer.
I always have to upgrade this plugin manually and even when i upgrade with Spartacus, this cute feature doesn't appear. I think, that you provide an older version of this plugin with your releases and upgrades.
I've mentioned this also here http://board.s9y.org/viewtopic.php?t=8561
Could you look into that?
Regards, Harald
I always have to upgrade this plugin manually and even when i upgrade with Spartacus, this cute feature doesn't appear. I think, that you provide an older version of this plugin with your releases and upgrades.
I've mentioned this also here http://board.s9y.org/viewtopic.php?t=8561
Could you look into that?
Regards, Harald
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
The statistics plugin is not maintained in Spartacus!!
Where are you downloading a newev version? There is no newer version available!?
Regards,
Garvin
The statistics plugin is not maintained in Spartacus!!
Where are you downloading a newev version? There is no newer version available!?
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Regular
- Posts: 450
- Joined: Thu May 26, 2005 10:43 am
- Location: Bonn, Germany
- Contact:
I installed the latest version 1.1.3 and I got the same little problem I had last time. It's just the very first opening of the plugin menu and later it's gone...
http://board.s9y.org/viewtopic.php?p=57033#57033
What am I doing wrong?
http://board.s9y.org/viewtopic.php?p=57033#57033
What am I doing wrong?
Marc
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
The bug is only fixed in 1.2 and not backported to 1.1 versions. 1.1 only contains security bugfixes and other fixes I thought about.
Regards,
Garvin
The bug is only fixed in 1.2 and not backported to 1.1 versions. 1.1 only contains security bugfixes and other fixes I thought about.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Regular
- Posts: 474
- Joined: Mon Mar 27, 2006 12:32 am
Well, i think, i took it from this Thread http://board.s9y.org/viewtopic.php?t=8561. I'm not 100% sure, but if you say, that it isn't maintened via Spartacus... I may have downloaded the file from http://files.blase16.de/serendipity_eve ... istics.txtgarvinhicking wrote:Hi!
The statistics plugin is not maintained in Spartacus!!
Where are you downloading a newev version? There is no newer version available!?
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
I've now updated the plugin in SVN for the next release.
Regards,
Garvin
I've now updated the plugin in SVN for the next release.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Using the LITE package for the security 1.1.3 update will be sufficient I guess? The bug is in the core backend, right?
my installations:
family blog: http://familie.lobenstein.info/
personal blog: http://www.ormus.info/
OrmusTool Homepage: http://tool.ormus.info/
Online Adventskalender: http://www.ormus.info/pages/advent.html
family blog: http://familie.lobenstein.info/
personal blog: http://www.ormus.info/
OrmusTool Homepage: http://tool.ormus.info/
Online Adventskalender: http://www.ormus.info/pages/advent.html
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi ormus!
That's right.
Regards,
Garvin
That's right.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Sorry I didn't find the time to post this earlier, I just got to installing 1.2-beta2 on my local machine for the first time.
I'm not sure whether this is a bug or a feature, but I think authors are by default not allowed to post entries, which I think is new. So any author has to be "unlocked" to be able to post, which I think is very annoying. So, bug or feature?
EDIT: Okay, I just read in the Bugs forum (go figure!) it's a bug, so forget about that one.
Also, I was just thinking about something, and I'm not sure whether we already have this or whether it is doable, I just thought I'd run it by you.
There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take
a specific position if it is installed?
YL
I'm not sure whether this is a bug or a feature, but I think authors are by default not allowed to post entries, which I think is new. So any author has to be "unlocked" to be able to post, which I think is very annoying. So, bug or feature?
EDIT: Okay, I just read in the Bugs forum (go figure!) it's a bug, so forget about that one.
Also, I was just thinking about something, and I'm not sure whether we already have this or whether it is doable, I just thought I'd run it by you.
There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take
a specific position if it is installed?
YL
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
Sadly it's hard to fix a plugin on a position, because in some cases the order that people find works for them does not work for others because of their requirements. Sometimes a guestbook plugin must come before a staticpage, sometimes not - depending on what you need/want for startpages etc.
I'd prefer instead to educate users on how positionion affects plugins.
Regards,
Garvin
A plugin can currently take a fixed position at the end or the beginning of the list.There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take a specific position if it is installed?
Sadly it's hard to fix a plugin on a position, because in some cases the order that people find works for them does not work for others because of their requirements. Sometimes a guestbook plugin must come before a staticpage, sometimes not - depending on what you need/want for startpages etc.
I'd prefer instead to educate users on how positionion affects plugins.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/