The CMS Expert

Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 a…

Grischa needs some help on updating the XML-RPC for more iOS clients. Here’s the quote from his original posting of the s9y forum post:

At the moment I am enhancing the xml-rpc interface of Serendipity with WordPress functionality.

The idea: If …

The Serendipity Team is proud to present the final release of Serendipity 1.6. We are steadily walking towards a Serendipity 2.0 release and would be happy about any developer who may want to join our cause. The list of things is available on http…

Serendipity’s code repository is being hosted on BerliOS for several years. Their free service is now closing down, which means that Serendipity will move its versioning control to a new provider.

The current idea is to migrate SVN over to GitHub…

MustLive discovered a HTML-injection vulnerability in the tagcloud.swf Flashfile that the Freetag-Plugin bundles and makes optionally available.

The issue is fixed in version 1.23 of the flashfile, which has now been committed to the Serendipity …

Even though the Disqus.com comment integration is easily integratable inside a serendipity template already, the need for a specific plugin was raised on the forums.

serendipity_event_disqus is now available on Spartacus and provides exactly this…

The podcast plugin has recently been improved to offer a much more flexible configuration with custom player and HTML5 audio/video support. The flowplayer has been added as a new, more flexible flash-video player replacement.

You can now specify …

It has come to our attention that the Cronjob-Plugin (serendipity_event_cronjob) has a bug that prevents it from properly detecting the next scheduled update time. This bug has been fixed in version 0.6, which should now be available through Spart…

This week, the SourceForge.Net servers have been attacked. Since the Serendipity project hosts files and our plugin’s CVS on SourceForge’s provided servers, this also affects our maintaineance and distribution of plugins through Spartacus.

For pe…

Serendipity bundles the powerful Xinha WYSIWYG editor to provide its functionality to our users.

Xinha ships with several plugins that utilize PHP scripting for special usage, like the ImageManager or ExtendedFileManager. A 0-day security exploit has been reported available as of today that exploits the functionality of these plugins to upload malicious files to your webspace, to execute foreign code.

Since no official patch has been made on the Xinha side, the Serendipity Team has released an updated version where those active Xinha-Plugins are no longer executable.

If you do not wish to apply the patch to the most recent Serendipity version 1.5.5 you can remove those files:

• htmlarea/contrib/php-xinha.php
• htmlarea/plugins/ExtendedFileManager/config.inc.php
• htmlarea/plugins/FormOperations/formmail.php
• htmlarea/plugins/HtmlTidy/html-tidy-logic.php
• htmlarea/plugins/ImageManager/config.inc.php
• htmlarea/plugins/InsertPicture/InsertPicture.php
• htmlarea/plugins/InsertSnippet/snippets.php
• htmlarea/plugins/SpellChecker/aspell_setup.php
• htmlarea/plugins/SpellChecker/spell-check-logic.php
• htmlarea/plugins/SuperClean/tidy.php

The provided functionality is usually not enabled by default, since Serendipity provides its own media file manager.

Future serendipity releases might re-enable these features, once they are safely patched.

To see if you are infected, please check the directories htmlarea/plugins/ImageManager/demo_images and htmlarea/plugins/ExtendedFileManager/demo_images to see if files have been uploaded there. If so, delete the files and check your webspace for other modified files, as well as change your passwords for FTP and SQL access. Please upgrade as soon as possible.

The release can be found on the Serendipity Download page. All serendipity versions from 1.4 to 1.6 (alpha) are affected. 1.6 alpha users should migrate to a recent SVN head checkout or tomorrow’s snapshot.

Thanks a lot to Hauser & Wenz for reporting the issue. Serendipity fully acknowledges responsible full disclosure, non-reported 0-day exploits are helping nobody of true OpenSource spirit.