Wesbytes Knowledge Base

Search our articles or browse by category below

SECURITY UPDATE: Serendipity 1.7.8 Update

Last modified: June 28, 2022
You are here:
Estimated reading time: 1 min

SECURITY UPDATE: Serendipity 1.7.8 Update

High-Tech Bridge SA Security Research Lab discovered the Serendipity vulnerability. Attackers frequently use the flaw to launch SQL injection attacks.

SQL injection in Serendipity

Before the 1.1 input is used in a SQL query, it is first passed to comment.php via the “url” GET parameter which is not sanitized properly. Therefore, it allows individuals to manipulate SQL queries. Moreover, they can carry out manipulation by injecting arbitrary SQL code.

However, you can refer the following PoC (Proof of Concept) which demonstrates the vulnerability:

http://[host]/comment.php?
type=trackback&entry_id=1&url=%27%20OR%20mid%28version%28%29,1,1%29=5%20–%202

Then, successful exploitation of this vulnerability needs that “magic_quotes_gpc” to be off.

Solution:

Firstly, to solve this issue, we suggest you to upgrade to Serendipity 1.7.8

Furthermore, if you need more information, please visit :

and

Vulnerability Description:

The Serendipity back end is prone to a Cross-Site Scripting and SQL-Injection vulnerability.

Solution:

Firstly, to solve the problem, it is necessary to upgrade to version 1.7.8. To upgrade these scripts, go to your Control Panel -> Softaculous -> Installations.

Then, you can update the scripts.

For more informations, you can visit Serendipity 1.6.1 released

Was this article helpful?
Dislike 0
Views: 6