Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit

Post Reply
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit

Post by garvinhicking »

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

Please update your blogs as soon as possible. If you are using a database backend that allows SQL union queries, the injection could probably lead to disclosure of the stored MD5 password hashes. Because of this, we also suggest to update your blog user account passwords.

It is a good idea to check your server's Access-Logs and search for the 'commentMode' variable to see, if malicious request have been issued to your blog already.

For those people that do not want to upgrade to a whole new version, you can also simply patch the file <strong>include/functions_comments.inc.php</strong> and replace the single occurence of:

$type = $serendipity['GET']['commentMode'];

to

$type = serendipity_db_escape_string($serendipity['GET']['commentMode']);

We are very sorry for this, but happy to provide a quick fix in short time. You can download the latest files as usual on www.s9y.org. Read the FAQ on how to perform an easy update.
Last edited by garvinhicking on Sun Aug 26, 2007 6:30 pm, edited 1 time in total.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Anitram
Regular
Posts: 430
Joined: Mon Nov 27, 2006 4:51 pm
Contact:

Post by Anitram »

Can it be that this is the solution of the problem I am struggleling for weeks?
Mit den besten Grüßen aus Absurdistan!

Im "Entwicklungsstadium":
http://www.patente-kunst.de

Frei von jeglichen Konservierungsstoffen:
http://www.martina-kausch.de
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

Hi Anitram!

Well, that depends on which problem you are talking about :-D

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Harald Weingaertner
Regular
Posts: 474
Joined: Mon Mar 27, 2006 12:32 am

Post by Harald Weingaertner »

Garvin, after upgrading from 1.1.2 to 1.1.3 my statistic plugin does not allow me to click the referrers any longer.

I always have to upgrade this plugin manually and even when i upgrade with Spartacus, this cute feature doesn't appear. I think, that you provide an older version of this plugin with your releases and upgrades.

I've mentioned this also here http://board.s9y.org/viewtopic.php?t=8561

Could you look into that?

Regards, HaraldImage
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

Hi!

The statistics plugin is not maintained in Spartacus!!

Where are you downloading a newev version? There is no newer version available!?

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Col. Kurtz
Regular
Posts: 450
Joined: Thu May 26, 2005 10:43 am
Location: Bonn, Germany
Contact:

Post by Col. Kurtz »

I installed the latest version 1.1.3 and I got the same little problem I had last time. It's just the very first opening of the plugin menu and later it's gone...

http://board.s9y.org/viewtopic.php?p=57033#57033

What am I doing wrong?
Marc
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

Hi!

The bug is only fixed in 1.2 and not backported to 1.1 versions. 1.1 only contains security bugfixes and other fixes I thought about. :-)

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Harald Weingaertner
Regular
Posts: 474
Joined: Mon Mar 27, 2006 12:32 am

Post by Harald Weingaertner »

garvinhicking wrote:Hi!

The statistics plugin is not maintained in Spartacus!!

Where are you downloading a newev version? There is no newer version available!?
Well, i think, i took it from this Thread http://board.s9y.org/viewtopic.php?t=8561. I'm not 100% sure, but if you say, that it isn't maintened via Spartacus... I may have downloaded the file from http://files.blase16.de/serendipity_eve ... istics.txt

;)
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

Hi!

I've now updated the plugin in SVN for the next release.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
ormus7577
Regular
Posts: 122
Joined: Sat Nov 04, 2006 12:11 pm
Location: Ulm, Germany

Post by ormus7577 »

Using the LITE package for the security 1.1.3 update will be sufficient I guess? The bug is in the core backend, right?
my installations:
family blog: http://familie.lobenstein.info/
personal blog: http://www.ormus.info/
OrmusTool Homepage: http://tool.ormus.info/
Online Adventskalender: http://www.ormus.info/pages/advent.html
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

Hi ormus!

That's right.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
yellowled
Regular
Posts: 7111
Joined: Fri Jan 13, 2006 11:46 am
Location: Eutin, Germany
Contact:

Post by yellowled »

Sorry I didn't find the time to post this earlier, I just got to installing 1.2-beta2 on my local machine for the first time.

I'm not sure whether this is a bug or a feature, but I think authors are by default not allowed to post entries, which I think is new. So any author has to be "unlocked" to be able to post, which I think is very annoying. So, bug or feature?

EDIT: Okay, I just read in the Bugs forum (go figure!) it's a bug, so forget about that one.

Also, I was just thinking about something, and I'm not sure whether we already have this or whether it is doable, I just thought I'd run it by you.

There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take
a specific position if it is installed?

YL
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

Hi!
There are some event plugins which need a specific position in the list of event plugins in order to work properly. Obviously, new users don't have a clue about this. So is it possible (or do we already have this) to sort of "tell" a plugin to take a specific position if it is installed?
A plugin can currently take a fixed position at the end or the beginning of the list.

Sadly it's hard to fix a plugin on a position, because in some cases the order that people find works for them does not work for others because of their requirements. Sometimes a guestbook plugin must come before a staticpage, sometimes not - depending on what you need/want for startpages etc.

I'd prefer instead to educate users on how positionion affects plugins.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Post Reply