|
|
|
>>
VUPEN Security / Public Mailing Lists Mirror |
Assigned : VUPEN/ADV-2006-0398
From : Siegfried <siegfri3d at gmail.com>
Subject : ZRCSA-200601: SPIP - Multiple Vulnerabilities
Date : 2006-02-01
Original Message
Zone-H Research Center Security Advisory 200601
http://www.zone-h.fr
Date of release: 31/01/2006
Software: SPIP (http://www.spip.net)
Affected versions: < 1.8.2-e , < 1.9 Alpha 2 (5539)
Risk: Medium
Discovered by: Kevin Fernandez "Siegfried" and Beno=EEt Skl=E9nard
"netcraft" from the Zone-H Research Team
Background
----------
SPIP is a publishing system for the Internet.
Come again? It consists of a bundle of files, installed in your web
account and allowing you to take advantage of a number of automated
tasks: multi-user management, laying out your articles without the
need to use HTML, easily modifying the structure of your site. From
the very same application used to browse a site (Netscape, Microsoft
Internet Explorer, Mozilla, Opera...), SPIP enables you to build and
update a site, thanks to a very simple user interface.
Details
--------
Some sql injections and cross-site scripting vulnerabilities have been
discovered.
-When we contacted the vendor, he already had fixed some of them:
multiple sql injections exploitable in the administrative area.
The ones which weren't fixed when we contacted him were the sql
injections in the forum (public area).
in formulaires/inc-formulaire_forum.php3 :
// recuperer les donnees du forum auquel on repond, false = forum int=
erdit
list ($idr, $idf, $ida, $idb, $ids) = $args;
if (!$r = sql_recherche_donnees_forum ($idr, $idf, $ida, $idb, $ids))
return '';
It is exploitable via forum.php3 , example:
/forum.php3?id_article=1&id_forum=-1/**/UNION/**/SELECT%20pass%20from%2=
0spip_auteurs/*
or with any other variable (id_article, id_breve..) like:
/forum.php3?id_article=-1/**/UNION/**/SELECT%20pass%20from%20spip_auteurs=
/*
It is exploitable like this with magic_quotes_gpc on or off.
A full path disclosure problem was present in inc-messforum.php3 when
accessing it directly, let's say the spip path is /var/www/spip , it
could then be used to exploit the sql injection (if magic_quotes_gpc
is off) to inject php code in a writable directory(The "IMG" folder,
like 3 others, are writable by default).
So if magic_quotes_gpc = Off , Display_errors = On and SPIP is version
1.8.2 or prior, it can be exploited to compromise a vulnerable system.
The vendor also discovered 2 potential sql injections in the session
handling and when posting "petitions" (maybe others).
-We also notified the vendor of a xss problem, it isn't fixed.
index.php3?lang=">xss
Solution
---------
The sql injection vulnerabilities have been fixed in the latest svn
snapshot (5546): svn://trac.rezo.net/spip/spip
or here: http://trac.rezo.net/files/spip/spip.zip
Original advisories:
English: http://www.zone-h.org/en/advisories/read/id=8650/
French: http://www.zone-h.fr/fr/advisories/read/id=874/
Disclaimer : VUPEN Security does not endorse the content of this
message submitted by others to public mailinglists. Messages submitted to public
mailinglists do not necessarily reflect the opinions or policies of VUPEN Security.
VUPEN Security makes no warranties, express or implied, as to the content of the message
in this page or the accuracy and reliability of any messages and other materials
submitted to public mailinglists. Any questions or comments regarding this page
should be sent to
team@vupen.com
|
|
|
|
|
|
Monthly Statistics |
 |
|
|
|
| |
|
Try VUPEN
VNS |
 |
|
 |
|
| |
|
 |
| |
|
|
|
|
