Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11249
HistoryFeb 01, 2006 - 12:00 a.m.

[Full-disclosure] ZRCSA-200601: SPIP - Multiple Vulnerabilities

2006-02-0100:00:00
vulners.com
124
JSON

Zone-H Research Center Security Advisory 200601
http://www.zone-h.fr

Date of release: 31/01/2006
Software: SPIP (http://www.spip.net)
Affected versions: < 1.8.2-e , < 1.9 Alpha 2 (5539)
Risk: Medium
Discovered by: Kevin Fernandez "Siegfried" and Benoît Sklénard
"netcraft" from the Zone-H Research Team

Background

SPIP is a publishing system for the Internet.
Come again? It consists of a bundle of files, installed in your web
account and allowing you to take advantage of a number of automated
tasks: multi-user management, laying out your articles without the
need to use HTML, easily modifying the structure of your site. From
the very same application used to browse a site (Netscape, Microsoft
Internet Explorer, Mozilla, Opera…), SPIP enables you to build and
update a site, thanks to a very simple user interface.

Details

Some sql injections and cross-site scripting vulnerabilities have been
discovered.

-When we contacted the vendor, he already had fixed some of them:
multiple sql injections exploitable in the administrative area.

The ones which weren't fixed when we contacted him were the sql
injections in the forum (public area).

in formulaires/inc-formulaire_forum.php3 :
// recuperer les donnees du forum auquel on repond, false = forum interdit
list ($idr, $idf, $ida, $idb, $ids) = $args;
if (!$r = sql_recherche_donnees_forum ($idr, $idf, $ida, $idb, $ids))
return '';

It is exploitable via forum.php3 , example:
/forum.php3?id_article=1&id_forum=-1//UNION//SELECT%20pass%20from%20spip_auteurs/*
or with any other variable (id_article, id_breve…) like:
/forum.php3?id_article=-1//UNION//SELECT%20pass%20from%20spip_auteurs/*

It is exploitable like this with magic_quotes_gpc on or off.

A full path disclosure problem was present in inc-messforum.php3 when
accessing it directly, let's say the spip path is /var/www/spip , it
could then be used to exploit the sql injection (if magic_quotes_gpc
is off) to inject php code in a writable directory(The "IMG" folder,
like 3 others, are writable by default).

So if magic_quotes_gpc = Off , Display_errors = On and SPIP is version
1.8.2 or prior, it can be exploited to compromise a vulnerable system.

The vendor also discovered 2 potential sql injections in the session
handling and when posting "petitions" (maybe others).

-We also notified the vendor of a xss problem, it isn't fixed.
index.php3?lang=">xss

Solution

The sql injection vulnerabilities have been fixed in the latest svn
snapshot (5546): svn://trac.rezo.net/spip/spip
or here: http://trac.rezo.net/files/spip/spip.zip

Original advisories:
English: http://www.zone-h.org/en/advisories/read/id=8650/
French: http://www.zone-h.fr/fr/advisories/read/id=874/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON