This new Serendipity release addresses a local file inclusion security
issue discovered yesterday. It was possible to give a special parameter
to a serendipity file to include a file on your own web-tree (or other
files the webserver has read access to). If used on clear-text files,
this could be used to disclose information like the apache logfiles on
your website.


This error can only happen in a scenario with two prerequisites: Register_Globals needs to be turned on in your PHP configuration AND your webserver must ignore the default Serendipity .htaccess file. This .htaccess file usually prevents to directly call Serendipity's include files via HTTP. Thus we feel that only a very low percentage of installations should be affected by this bug.

However, Serendipity 1.0.4 is a recommended upgrade for everyone taking security responsibly, like we do. We are thankful to the community for inspecting Serendipity, searching for bugs and security issues and reporting them to us. In this case, many thanks to Majestic from the forums for notifying us. …(via Serendipity ){moscomment}