Christopher Kunz has posted a quick review of a book from the Open Source Press covering Serendipity, a popular blogging system.

Yesterday, my review copy of Garvin Hicking's book "Serendipity - Individuelle Weblogs fur Einsteiger und Profis" (Open Source Press, 39,90, ISBN 978-3-937514-54-3) was in the mail. Unfortunately, this book is currently only available in German, but I'm sure Garvin (or someone else) will translate it and publish it (maybe with the nice guys at Packt publishing?) soon.

He notes that the book (the massive book at 750 pages) covers just about everything you'd ever need to know about the Serendipity blogging system. Christopher specifically mentions a few things - a good summary for installation and configuration, a meticulous list of the plugins and the chapter that focuses on administration and security.

As Christopher Kunz points out, Serendipity users should check out a new blog posting over on the CMS system's website concerning an immediate update they've released.

Serendipity 1.1.3 and 1.2-beta2 have been released due to a SQL injection attack reported by Dr. Neal Krawetz today. It is possible to abuse a 'commentMode' variable to inject SQL code that was targeted to the function that fetches comment information. This variable was introduced to Serendipity 1.1 - all prior versions are not affected.

They also suggest checking you access logs for a "commentMode" variable issued in requests to see if there were any kind of attacks made already. The fix is a simple matter of editing the functions_comments.inc.php file and replacing the line of code they give with the more secure versions. Again, this is recommended as an immediate upgrade for Serendipity users.

On his blog, Pierre-Alain Joye talks about the ext/filter extension and how several developers just choose to "work around" it instead of using its features right out.

On the other hand, the same persons worked around ext/filter with ugly hacks. Edin pointed me to one of these horrible codes in Serendipity, as I saw this code in other applications like flyspray, I think it is time to raise your attention about what to do not do.

The code he's referencing is a snippet that manually filters each of the superglobals to get rid of any problems that might have been put in. He points out two security problems with the code too: only use PHP functions as a fallback when filter isn't available and never use the superglobals directly outside of the filtering.

Stefan Esser has his own comments on the topic too. He votes for the other way around (own functions over filter's methods) and expresses the opinion that the ext/filter extension is a bad idea similar to the impropper use of magic_quotes_gpc.

Pierre has also responded to these comments in an update to how own blog entry. Check it out for the full story...

If you're a Serendipity user, you need to install the pactch that Dan Scott mentions in his latest blog post:

I thought you should know they just released a security update to fix an XSS issue in the administration backend. Unfortunately, s9y.org itself appears to be very ill at the moment: I kept getting 500 - Internal Server Error.

There's an update that's been released and (will be) available from their site, but you can also just upgrade to the latest version as downloaded from their sourceforge repository.

For more information, check out the Hardened-PHP Group's security advisory on the issue.

On the NewsForge website, there's this new look at the latest version of a popular PHP-based content management system - Serendipity 1.0.

Serendipity is a PHP-based content management system (CMS) for powering blogs and other sites, and has a feature set that should make any blogger happy. After several years in development, the Serendipity team hit the 1.0 mark on June 15. Let's see how the 1.0 release shakes out.

The author (Joe Brockmeier) opts to jump in with both feet, making a complete switch over from WordPress to Serendipity. He goes through some of the common tasks like posting items and management behind the scenes. He also talks a bit about extending Serendipity, using the wealth of plugins offered both officially and by the community.

In the end, though, what it boils down to are his thoughts on the latest release - overall good, but nothing he saw that made it outstanding in its field.

As noted by both Tobias Schlitt and Sebastian Bergmann, the popular blogging software, Serendipity has reached a huge milestone in its development - the release of version 1.0.

The Serendipity Team is proud to announce the final release version of Serendipity 1.0, an advanced and flexible blogging/cms web application. With its comprehensive feature set, including multiple authors, internationalization, templated output, and an open plugin architecture, Serendipity's stable 1.0 release is ready to become the most popular Web application in the world!

You can get the full story in their latest blog post today, including the latest bugfixes, how to upgrade your current installation, the future of the project, and, of course, the "thank you"s going out to all those that helped.

You can download this latest release directly from their site.

Davey Shafik has done some "spring cleaning" on his blog and finally implemented a tagging based system for it (using the Serendipity software) away from the category system it uses by default. In this new post he shares the simple solution to how he did it.

He populates the tags for the entries in a simple way - a SQL query that goes through and updates the tag table with the current category for the entry.