If you are using Serendipity, stop everything you are doing and read this:
Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.
Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don’t want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.
Now go and update your blogs as soon as possible. You can either just remove that file or do a full-blown update. Our scanner will now also alert on old versions being used.
