lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060131235835.8215.qmail@securityfocus.com>
Date: 31 Jan 2006 23:58:35 -0000
From: research@...e-h.fr
To: bugtraq@...urityfocus.com
Subject: ZRCSA-200601: SPIP - Multiple Vulnerabilities


Zone-H Research Center Security Advisory 200601
http://www.zone-h.fr

Date of release: 31/01/2006
Software: SPIP (http://www.spip.net)
Affected versions: < 1.8.2-e , < 1.9 Alpha 2 (5539)
Risk: Medium
Discovered by: Kevin Fernandez "Siegfried" and Benoît Sklénard "netcraft" from the Zone-H Research Team

Background
----------
SPIP is a publishing system for the Internet.
Come again? It consists of a bundle of files, installed in your web account and allowing you to take advantage of a number of automated tasks: multi-user management, laying out your articles without the need to use HTML, easily modifying the structure of your site. From the very same application used to browse a site (Netscape, Microsoft Internet Explorer, Mozilla, Opera...), SPIP enables you to build and update a site, thanks to a very simple user interface.

Details
--------
Some sql injections and cross-site scripting vulnerabilities have been discovered.

-When we contacted the vendor, he already had fixed some of them: multiple sql injections exploitable in the administrative area.

The ones which weren't fixed when we contacted him were the sql injections in the forum (public area).

in formulaires/inc-formulaire_forum.php3 :
    // recuperer les donnees du forum auquel on repond, false = forum interdit  
         list ($idr, $idf, $ida, $idb, $ids) = $args;  
if (!$r = sql_recherche_donnees_forum ($idr, $idf, $ida, $idb, $ids))  
                 return ''; 

It is exploitable via forum.php3 , example:
/forum.php3?id_article=1&id_forum=-1/**/UNION/**/SELECT%20pass%20from%20spip_auteurs/*
or with any other variable (id_article, id_breve..) like:
/forum.php3?id_article=-1/**/UNION/**/SELECT%20pass%20from%20spip_auteurs/*

It is exploitable like this with magic_quotes_gpc on or off.

A full path disclosure problem was present in inc-messforum.php3 when accessing it directly, let's say the spip path is /var/www/spip , it could then be used to exploit the sql injection (if magic_quotes_gpc is off) to inject php code in a writable directory(The "IMG" folder, like 3 others, are writable by default).

So if magic_quotes_gpc = Off , Display_errors = On and SPIP is version 1.8.2 or prior, it can be exploited to compromise a vulnerable system.

The vendor also discovered 2 potential sql injections in the session handling and when posting "petitions" (maybe others).

-We also notified the vendor of a xss problem, it isn't fixed.
index.php3?lang=">xss

Solution
---------
The sql injection vulnerabilities have been fixed in the latest svn snapshot (5546): svn://trac.rezo.net/spip/spip
or here: http://trac.rezo.net/files/spip/spip.zip

Original advisories:
English: http://www.zone-h.org/en/advisories/read/id=8650/
French: http://www.zone-h.fr/fr/advisories/read/id=874/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ