In Serendipity before 2.0.5, an attacker can bypass SSRF protection by
using a malformed IP address (e.g., http://127.1) or a 30x (aka
Redirection) HTTP status code.
blog.s9y.org/archives/271-Serendipity-2.0.5-and-2.1-beta3-released.html
github.com/s9y/Serendipity/commit/fbdd50a448ed87ba34ea8c56446b8f1873eadd6f
launchpad.net/bugs/cve/CVE-2016-9752
nvd.nist.gov/vuln/detail/CVE-2016-9752
security-tracker.debian.org/tracker/CVE-2016-9752
www.cve.org/CVERecord?id=CVE-2016-9752