Page 1 of 1

Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit

Posted: Sun Jun 17, 2007 1:23 pm
by garvinhicking
Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file <strong>include/functions_comments.inc.php</strong> and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

to

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.

Posted: Sun Jun 17, 2007 9:08 pm
by Anitram
Can it be that this is the solution of the problem I am struggleling for weeks?

Posted: Mon Jun 18, 2007 1:38 pm
by garvinhicking
Hi Anitram!

Well, that depends on which problem you are talking about :-D

Regards,
Garvin

Posted: Tue Jun 19, 2007 5:41 pm
by Harald Weingaertner
Garvin, after upgrading from 1.1.2 to 1.1.3 my statistic plugin does not allow me to click the referrers any longer.

I always have to upgrade this plugin manually and even when i upgrade with Spartacus, this cute feature doesn't appear. I think, that you provide an older version of this plugin with your releases and upgrades.

I've mentioned this also here http://board.s9y.org/viewtopic.php?t=8561

Could you look into that?

Regards, HaraldImage

Posted: Wed Jun 20, 2007 10:38 am
by garvinhicking
Hi!

The statistics plugin is not maintained in Spartacus!!

Where are you downloading a newev version? There is no newer version available!?

Regards,
Garvin

Posted: Wed Jun 20, 2007 10:57 am
by Col. Kurtz
I installed the latest version 1.1.3 and I got the same little problem I had last time. It's just the very first opening of the plugin menu and later it's gone...

http://board.s9y.org/viewtopic.php?p=57033#57033

What am I doing wrong?

Posted: Wed Jun 20, 2007 11:42 am
by garvinhicking
Hi!

The bug is only fixed in 1.2 and not backported to 1.1 versions. 1.1 only contains security bugfixes and other fixes I thought about. :-)

Regards,
Garvin

Posted: Wed Jun 20, 2007 8:53 pm
by Harald Weingaertner
garvinhicking wrote:Hi!

The statistics plugin is not maintained in Spartacus!!

Where are you downloading a newev version? There is no newer version available!?
Well, i think, i took it from this Thread http://board.s9y.org/viewtopic.php?t=8561. I'm not 100% sure, but if you say, that it isn't maintened via Spartacus... I may have downloaded the file from http://files.blase16.de/serendipity_eve ... istics.txt

;)

Posted: Thu Jun 21, 2007 12:49 pm
by garvinhicking
Hi!

I've now updated the plugin in SVN for the next release.

Regards,
Garvin

Posted: Sun Jun 24, 2007 11:58 pm
by ormus7577
Using the LITE package for the security 1.1.3 update will be sufficient I guess? The bug is in the core backend, right?

Posted: Mon Jun 25, 2007 1:07 pm
by garvinhicking
Hi ormus!

That's right.

Regards,
Garvin

Posted: Fri Jul 06, 2007 10:31 am
by yellowled
Sorry I didn't find the time to post this earlier, I just got to installing 1.2-beta2 on my local machine for the first time.

I'm not sure whether this is a bug or a feature, but I think authors are by default not allowed to post entries, which I think is new. So any author has to be "unlocked" to be able to post, which I think is very annoying. So, bug or feature?

EDIT: Okay, I just read in the Bugs forum (go figure!) it's a bug, so forget about that one.

Also, I was just thinking about something, and I'm not sure whether we already have this or whether it is doable, I just thought I'd run it by you.

There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take
a specific position if it is installed?

YL

Posted: Fri Jul 06, 2007 11:46 am
by garvinhicking
Hi!
There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take a specific position if it is installed?
A plugin can currently take a fixed position at the end or the beginning of the list.

Sadly it's hard to fix a plugin on a position, because in some cases the order that people find works for them does not work for others because of their requirements. Sometimes a guestbook plugin must come before a staticpage, sometimes not - depending on what you need/want for startpages etc.

I'd prefer instead to educate users on how positionion affects plugins.

Regards,
Garvin