Linux News » Serendipity » Serendipity 1.5.3 released, Security Issue with Xinha

Feeds

15064 items (11768 unread) in 63 feeds

Podcasts (1206 unread)

• RadioTux GNU/Linux Blog (672 unread)
• ubuntublog.ch » Podcast (11 unread)
• Computerclub Zwei (159 unread)
• Linux-Club Podcast (2 unread)
• DeimHart (66 unread)
• IT-Pod (16 unread)
• Schieb Blog (268 unread)
• Linux Lounge (12 unread)

News (8639 unread)

• openSUSE News (474 unread)
• freiesMagazin - Magazin rund um GNU/Linux und Freie Software (89 unread)
• Linux-Magazin Online News (4046 unread)
• LinuxTag: News (164 unread)
• CHIP-LINUX-Blog (10 unread)
• /usr/local/bin (6 unread)
• Linux-Redaktion (148 unread)
• Pro-Linux News (3588 unread)
• Chaos Computer Club (114 unread)

Blogs (1617 unread)

• moenk's blog - Linux (7 unread)
• miradlo bloggt » linux (20 unread)
• RTFM! (124 unread)
• Linux und ich
• mgBlog » Linux (43 unread)
• blogging::cero (2 unread)
• Tuxpost Blog (49 unread)
• Linux Installieren (8 unread)
• NaturalNik Broadcast » Linux (17 unread)
• Linus' blog (38 unread)
• Linux-aktuell.info (18 unread)
• Karl-Tux-Stadt (254 unread)
• geeks' blog (1 unread)
• blechBlog Linux (18 unread)
• Technical-Life » Linux (51 unread)
• zInformatik » Linux (12 unread)
• || .:zefanja:. || (29 unread)
• Fredo's Blog (38 unread)
• Windows vs. Linux (11 unread)
• Bites, Bytes and my 5 cents » Linux (10 unread)
• Linux und Ich » GNU/Linux (310 unread)
• Development Site - Linux (75 unread)
• onli blogging - Linux (76 unread)
• Ubuntu Blog (17 unread)
• campino2k » Linux (62 unread)
• daten|teiler.de » Gnu/Linux (47 unread)
• Unerklärliches am Rande » linux (24 unread)
• serenity's blog » KDE, OSS & IT (33 unread)
• bejonet (38 unread)
• Ich Bin Ein Geek Holt Mich Hier Raus (26 unread)
• BLIT-Blog (49 unread)
• Yet another linux blog (8 unread)
• Ubuntu Linux Blog (1 unread)
• Rootserver-Experiment (22 unread)
• helixrider's Linux (1 unread)
• Tux Area (49 unread)
• Nicht spurlos Linux (15 unread)
• Konstantin Filtschew WebLog Linux (10 unread)
• Geocaching Bayern Linux (4 unread)

Software (306 unread)

• KDE4.DE (49 unread)
• Serendipity (40 unread)
• better office Blog
• oshelpdesk.org » Linux (43 unread)
• YaCy-Blog (16 unread)
• linux-befehle.org/blogspot.com (49 unread)
• RUN LINUX! Fragen und Antworten (109 unread)

Serendipity

• May 10, 2010
• 

  Serendipity 1.5.3 released, Security Issue with Xinha

  Posted: May 10, 2010, 1:37pm CEST

  Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

  A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

  Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

  Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.

  var flattr_uid = 'supergarv'; var flattr_tle = 'Serendipity 1.5.3 released, Security Issue with Xinha'; var flattr_dsc = 'Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes. A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend. Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don\'t want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless. Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible. '; var flattr_cat = 'text'; var flattr_lng = 'en_GB'; var flattr_tag = ''; var flattr_url = 'http://blog.s9y.org/archives/217-Serendipity-1.5.3-released,-Security-Issue-with-Xinha.html'; var flattr_btn = 'default';