Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Community News:
Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit
Jun 19, 2007 @ 12:47:00

As Christopher Kunz points out, Serendipity users should check out a new blog posting over on the CMS system's website concerning an immediate update they've released.

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

They also suggest checking you access logs for a "commentMode" variable issued in requests to see if there were any kind of attacks made already. The fix is a simple matter of editing the functions_comments.inc.php file and replacing the line of code they give with the more secure versions. Again, this is recommended as an immediate upgrade for Serendipity users.

tagged: serendipity cms sql exploit commentmode functioncomments serendipity cms sql exploit commentmode functioncomments

Link:


Trending Topics: