==================================================================== CERT-Renater Note d'Information No. 2012/VULN222 ____________________________________________________________________ DATE : 21/05/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Serendipity versions prior to 1.6.2. ====================================================================== http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html ______________________________________________________________________ Serendipity 1.6.2 released Wednesday, May 16. 2012 Posted by Garvin Hicking in Announcements, Development, Infrastructure, Security Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that. You can either download the full 1.6.2 release, or apply this simple fix to the file include/functions_trackbacks.inc.php: diff on github. The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code, we regard the impact as low. Nevertheless, please upgrade your installation. Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================