mailing list archives
ZRCSA-200601: SPIP - Multiple Vulnerabilities
From: Siegfried <siegfri3d () gmail com>
Date: Wed, 1 Feb 2006 00:10:11 +0100
Zone-H Research Center Security Advisory 200601
Date of release: 31/01/2006
Software: SPIP (http://www.spip.net)
Affected versions: < 1.8.2-e , < 1.9 Alpha 2 (5539)
Discovered by: Kevin Fernandez "Siegfried" and Benoît Sklénard
"netcraft" from the Zone-H Research Team
SPIP is a publishing system for the Internet.
Come again? It consists of a bundle of files, installed in your web
account and allowing you to take advantage of a number of automated
tasks: multi-user management, laying out your articles without the
need to use HTML, easily modifying the structure of your site. From
the very same application used to browse a site (Netscape, Microsoft
Internet Explorer, Mozilla, Opera...), SPIP enables you to build and
update a site, thanks to a very simple user interface.
Some sql injections and cross-site scripting vulnerabilities have been
-When we contacted the vendor, he already had fixed some of them:
multiple sql injections exploitable in the administrative area.
The ones which weren't fixed when we contacted him were the sql
injections in the forum (public area).
in formulaires/inc-formulaire_forum.php3 :
// recuperer les donnees du forum auquel on repond, false = forum interdit
list ($idr, $idf, $ida, $idb, $ids) = $args;
if (!$r = sql_recherche_donnees_forum ($idr, $idf, $ida, $idb, $ids))
It is exploitable via forum.php3 , example:
or with any other variable (id_article, id_breve..) like:
It is exploitable like this with magic_quotes_gpc on or off.
A full path disclosure problem was present in inc-messforum.php3 when
accessing it directly, let's say the spip path is /var/www/spip , it
could then be used to exploit the sql injection (if magic_quotes_gpc
is off) to inject php code in a writable directory(The "IMG" folder,
like 3 others, are writable by default).
So if magic_quotes_gpc = Off , Display_errors = On and SPIP is version
1.8.2 or prior, it can be exploited to compromise a vulnerable system.
The vendor also discovered 2 potential sql injections in the session
handling and when posting "petitions" (maybe others).
-We also notified the vendor of a xss problem, it isn't fixed.
The sql injection vulnerabilities have been fixed in the latest svn
snapshot (5546): svn://trac.rezo.net/spip/spip
or here: http://trac.rezo.net/files/spip/spip.zip
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- ZRCSA-200601: SPIP - Multiple Vulnerabilities Siegfried (Jan 31)