I just updated Serendipity to version 1.5.1 on one of our servers; yet afterwards I could not log in anymore. Also, Serendipity reported that version 1.5.1 was present, although I did not run the update script from the admin console yet. At first I thought I did something wrong, but a s9y forum posting described a similar issue.

The issue came from a SQL update script that hadn't been run when the upgrade process thought it had. He includes the two SQL statements you'll need to run to fix the problem.

Yesterday, my review copy of Garvin Hicking's book "Serendipity - Individuelle Weblogs fur Einsteiger und Profis" (Open Source Press, 39,90, ISBN 978-3-937514-54-3) was in the mail. Unfortunately, this book is currently only available in German, but I'm sure Garvin (or someone else) will translate it and publish it (maybe with the nice guys at Packt publishing?) soon.

He notes that the book (the massive book at 750 pages) covers just about everything you'd ever need to know about the Serendipity blogging system. Christopher specifically mentions a few things - a good summary for installation and configuration, a meticulous list of the plugins and the chapter that focuses on administration and security.

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

They also suggest checking you access logs for a "commentMode" variable issued in requests to see if there were any kind of attacks made already. The fix is a simple matter of editing the functions_comments.inc.php file and replacing the line of code they give with the more secure versions. Again, this is recommended as an immediate upgrade for Serendipity users.

On the other hand, the same persons worked around ext/filter with ugly hacks. Edin pointed me to one of these horrible codes in Serendipity, as I saw this code in other applications like flyspray, I think it is time to raise your attention about what to do not do.

The code he's referencing is a snippet that manually filters each of the superglobals to get rid of any problems that might have been put in. He points out two security problems with the code too: only use PHP functions as a fallback when filter isn't available and never use the superglobals directly outside of the filtering.

Stefan Esser has his own comments on the topic too. He votes for the other way around (own functions over filter's methods) and expresses the opinion that the ext/filter extension is a bad idea similar to the impropper use of magic_quotes_gpc.

Pierre has also responded to these comments in an update to how own blog entry. Check it out for the full story...

I thought you should know they just released a security update to fix an XSS issue in the administration backend. Unfortunately, s9y.org itself appears to be very ill at the moment: I kept getting 500 - Internal Server Error.

There's an update that's been released and (will be) available from their site, but you can also just upgrade to the latest version as downloaded from their sourceforge repository.

For more information, check out the Hardened-PHP Group's security advisory on the issue.

Serendipity is a PHP-based content management system (CMS) for powering blogs and other sites, and has a feature set that should make any blogger happy. After several years in development, the Serendipity team hit the 1.0 mark on June 15. Let's see how the 1.0 release shakes out.

The author (Joe Brockmeier) opts to jump in with both feet, making a complete switch over from WordPress to Serendipity. He goes through some of the common tasks like posting items and management behind the scenes. He also talks a bit about extending Serendipity, using the wealth of plugins offered both officially and by the community.

In the end, though, what it boils down to are his thoughts on the latest release - overall good, but nothing he saw that made it outstanding in its field.

The Serendipity Team is proud to announce the final release version of Serendipity 1.0, an advanced and flexible blogging/cms web application. With its comprehensive feature set, including multiple authors, internationalization, templated output, and an open plugin architecture, Serendipity's stable 1.0 release is ready to become the most popular Web application in the world!

You can get the full story in their latest blog post today, including the latest bugfixes, how to upgrade your current installation, the future of the project, and, of course, the "thank you"s going out to all those that helped.

You can download this latest release directly from their site.

He populates the tags for the entries in a simple way - a SQL query that goes through and updates the tag table with the current category for the entry.