Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Christian Wenz's Blog:
Serendipity Upgrade to v 1.5.x Gotcha
Dec 24, 2009 @ 12:44:55

Christian Wenz points out a "gotcha" for those upgrading Serendipity to the latest 1.5.x version - an issue with a SQL script not being run.

I just updated Serendipity to version 1.5.1 on one of our servers; yet afterwards I could not log in anymore. Also, Serendipity reported that version 1.5.1 was present, although I did not run the update script from the admin console yet. At first I thought I did something wrong, but a s9y forum posting described a similar issue.

The issue came from a SQL update script that hadn't been run when the upgrade process thought it had. He includes the two SQL statements you'll need to run to fix the problem.

tagged: serendipity upgrade gotcha

Link:

Christopher Kunz's Blog:
Review: Serendipity - Individuelle Weblogs fur Einsteiger und Profis"
May 29, 2008 @ 18:49:17

Christopher Kunz has posted a quick review of a book from the Open Source Press covering Serendipity, a popular blogging system.

Yesterday, my review copy of Garvin Hicking's book "Serendipity - Individuelle Weblogs fur Einsteiger und Profis" (Open Source Press, 39,90, ISBN 978-3-937514-54-3) was in the mail. Unfortunately, this book is currently only available in German, but I'm sure Garvin (or someone else) will translate it and publish it (maybe with the nice guys at Packt publishing?) soon.

He notes that the book (the massive book at 750 pages) covers just about everything you'd ever need to know about the Serendipity blogging system. Christopher specifically mentions a few things - a good summary for installation and configuration, a meticulous list of the plugins and the chapter that focuses on administration and security.

tagged: book review serendipity opensourcepress german

Link:

Community News:
Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit
Jun 19, 2007 @ 12:47:00

As Christopher Kunz points out, Serendipity users should check out a new blog posting over on the CMS system's website concerning an immediate update they've released.

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

They also suggest checking you access logs for a "commentMode" variable issued in requests to see if there were any kind of attacks made already. The fix is a simple matter of editing the functions_comments.inc.php file and replacing the line of code they give with the more secure versions. Again, this is recommended as an immediate upgrade for Serendipity users.

tagged: serendipity cms sql exploit commentmode functioncomments serendipity cms sql exploit commentmode functioncomments

Link:

Community News:
Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit
Jun 19, 2007 @ 12:47:00

As Christopher Kunz points out, Serendipity users should check out a new blog posting over on the CMS system's website concerning an immediate update they've released.

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

They also suggest checking you access logs for a "commentMode" variable issued in requests to see if there were any kind of attacks made already. The fix is a simple matter of editing the functions_comments.inc.php file and replacing the line of code they give with the more secure versions. Again, this is recommended as an immediate upgrade for Serendipity users.

tagged: serendipity cms sql exploit commentmode functioncomments serendipity cms sql exploit commentmode functioncomments

Link:

Pierre-Alain Joye's Blog:
how to do not work around filter (don't be lazy :)
Dec 22, 2006 @ 13:14:01

On his blog, Pierre-Alain Joye talks about the ext/filter extension and how several developers just choose to "work around" it instead of using its features right out.

On the other hand, the same persons worked around ext/filter with ugly hacks. Edin pointed me to one of these horrible codes in Serendipity, as I saw this code in other applications like flyspray, I think it is time to raise your attention about what to do not do.

The code he's referencing is a snippet that manually filters each of the superglobals to get rid of any problems that might have been put in. He points out two security problems with the code too: only use PHP functions as a fallback when filter isn't available and never use the superglobals directly outside of the filtering.

Stefan Esser has his own comments on the topic too. He votes for the other way around (own functions over filter's methods) and expresses the opinion that the ext/filter extension is a bad idea similar to the impropper use of magic_quotes_gpc.

Pierre has also responded to these comments in an update to how own blog entry. Check it out for the full story...

tagged: pecl filter extension workaround example serendipity pecl filter extension workaround example serendipity

Link:

Pierre-Alain Joye's Blog:
how to do not work around filter (don't be lazy :)
Dec 22, 2006 @ 13:14:01

On his blog, Pierre-Alain Joye talks about the ext/filter extension and how several developers just choose to "work around" it instead of using its features right out.

On the other hand, the same persons worked around ext/filter with ugly hacks. Edin pointed me to one of these horrible codes in Serendipity, as I saw this code in other applications like flyspray, I think it is time to raise your attention about what to do not do.

The code he's referencing is a snippet that manually filters each of the superglobals to get rid of any problems that might have been put in. He points out two security problems with the code too: only use PHP functions as a fallback when filter isn't available and never use the superglobals directly outside of the filtering.

Stefan Esser has his own comments on the topic too. He votes for the other way around (own functions over filter's methods) and expresses the opinion that the ext/filter extension is a bad idea similar to the impropper use of magic_quotes_gpc.

Pierre has also responded to these comments in an update to how own blog entry. Check it out for the full story...

tagged: pecl filter extension workaround example serendipity pecl filter extension workaround example serendipity

Link:

Dan Scott's Blog:
Serendipity (s9y) blog: Security release
Oct 19, 2006 @ 16:23:00

If you're a Serendipity user, you need to install the pactch that Dan Scott mentions in his latest blog post:

I thought you should know they just released a security update to fix an XSS issue in the administration backend. Unfortunately, s9y.org itself appears to be very ill at the moment: I kept getting 500 - Internal Server Error.

There's an update that's been released and (will be) available from their site, but you can also just upgrade to the latest version as downloaded from their sourceforge repository.

For more information, check out the Hardened-PHP Group's security advisory on the issue.

tagged: serendipity security release patch xss latest download serendipity security release patch xss latest download

Link:

Dan Scott's Blog:
Serendipity (s9y) blog: Security release
Oct 19, 2006 @ 16:23:00

If you're a Serendipity user, you need to install the pactch that Dan Scott mentions in his latest blog post:

I thought you should know they just released a security update to fix an XSS issue in the administration backend. Unfortunately, s9y.org itself appears to be very ill at the moment: I kept getting 500 - Internal Server Error.

There's an update that's been released and (will be) available from their site, but you can also just upgrade to the latest version as downloaded from their sourceforge repository.

For more information, check out the Hardened-PHP Group's security advisory on the issue.

tagged: serendipity security release patch xss latest download serendipity security release patch xss latest download

Link:

NewsForge:
New kid on the blog: A look at Serendipity 1.0
Jul 19, 2006 @ 11:17:40

On the NewsForge website, there's this new look at the latest version of a popular PHP-based content management system - Serendipity 1.0.

Serendipity is a PHP-based content management system (CMS) for powering blogs and other sites, and has a feature set that should make any blogger happy. After several years in development, the Serendipity team hit the 1.0 mark on June 15. Let's see how the 1.0 release shakes out.

The author (Joe Brockmeier) opts to jump in with both feet, making a complete switch over from WordPress to Serendipity. He goes through some of the common tasks like posting items and management behind the scenes. He also talks a bit about extending Serendipity, using the wealth of plugins offered both officially and by the community.

In the end, though, what it boils down to are his thoughts on the latest release - overall good, but nothing he saw that made it outstanding in its field.

tagged: serendipity version1.0 content management system review serendipity version1.0 content management system review

Link:

NewsForge:
New kid on the blog: A look at Serendipity 1.0
Jul 19, 2006 @ 11:17:40

On the NewsForge website, there's this new look at the latest version of a popular PHP-based content management system - Serendipity 1.0.

Serendipity is a PHP-based content management system (CMS) for powering blogs and other sites, and has a feature set that should make any blogger happy. After several years in development, the Serendipity team hit the 1.0 mark on June 15. Let's see how the 1.0 release shakes out.

The author (Joe Brockmeier) opts to jump in with both feet, making a complete switch over from WordPress to Serendipity. He goes through some of the common tasks like posting items and management behind the scenes. He also talks a bit about extending Serendipity, using the wealth of plugins offered both officially and by the community.

In the end, though, what it boils down to are his thoughts on the latest release - overall good, but nothing he saw that made it outstanding in its field.

tagged: serendipity version1.0 content management system review serendipity version1.0 content management system review

Link:


Trending Topics: