SECURITY UPDATE: Serendipity 1.7.8 Update
High-Tech Bridge SA Security Research Lab discovered the Serendipity vulnerability. Attackers frequently use the flaw to launch SQL injection attacks.
SQL injection in Serendipity
Before the 1.1 input is used in a SQL query, it is first passed to comment.php via the “url” GET parameter which is not sanitized properly. Therefore, it allows individuals to manipulate SQL queries. Moreover, they can carry out manipulation by injecting arbitrary SQL code.
However, you can refer the following PoC (Proof of Concept) which demonstrates the vulnerability:
Then, successful exploitation of this vulnerability needs that “magic_quotes_gpc” to be off.
The Serendipity back end is prone to a Cross-Site Scripting and SQL-Injection vulnerability.
Firstly, to solve the problem, it is necessary to upgrade to version 1.7.8. To upgrade these scripts, go to your Control Panel -> Softaculous -> Installations.
Then, you can update the scripts.