| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 01 Oct 2011 12:30:28 +0200 From: Laurent OUDOT at TEHTRI-Security <laurent.oudot-ml@...tri-security.com> To: full-disclosure@...ts.grok.org.uk Cc: Laurent Estieux <laurent.estieux-ml@...tri-security.com> Subject: [Tehtri-Security] SPIP CMS fixed (0days) Gents, Our CTO discovered two vulnerabilities in a well-known CMS product named SPIP : - a local path disclosure (all SPIP version) - and an SQL injection (SPIP 1.9.2 branch) Technical information were notified to the SPIP-Team for fixes (responsible disclosure, with fixes included). SPIP is now patched and latest version can be downloaded (see further). If you want more 0days and more offensive tricks, check how to join us through the end of this email ;) *About the SPIP vulnerabilities* == Background: SPIP is a publishing system for the Internet in which great importance is attached to collaborative working, to multilingual environments, and to simplicity of use for web authors. == 1st Security Advisory: TEHTRIS-SA-2011-011 -- Title: SQL Injection in SPIP 1.9.2j -- Affected Vendors: SPIP (www.spip.net) -- Affected Product: SPIP -- Versions: 1.9.2j -- CVE-ID: linked to CVE-2008-5813 == 2nd Security Advisory: TEHTRIS-SA-2011-010 -- Title: Local Path Disclosure in all SPIP version -- Affected Vendors: SPIP (www.spip.net) -- Affected Product: SPIP -- Versions: 1.9.2j, 2.0.15, 2.1.10 == Credits: Discovered by _Laurent Estieux_ CTO TEHTRI-Security == Update your CMS: http://www.spip.net/en_article5265.html == Vulnerability reference (in french) : http://www.spip-contrib.net/SPIP-1-9-2k-2-0-16-2-1-11-et-3-0-0-beta-disponibles == Other references: http://www.spip.net/rubrique33.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5813 *About TEHTRI-security* [w] http://www.tehtri-security.com [m] web@...tri-security.com [t] @tehtris *Join us for live hacking sessions* - OCT 2011 / Hack In The Box / Kuala Lumpur, Malaysia Training: "Hunting Web Attackers" [w] http://conference.hitb.org/hitbsecconf2011kul/?page_id=274 => 0days included - don't use them at home, kids :) ==> Sorry: HITB Classroom already FULL - DEC 2011 / Black Hat / Abu Dhabu, UAE Training: "Advanced PHP Hacking" [w] https://www.blackhat.com/html/bh-ad-11/training/bh-ad-11-training_PHP.html => 0days included - don't use them at home, kids :) - FEB 2012 / Hack In The Box GSEC / Mumbai, India Training "Strategic Cyber Attacks,Advanced Persistent Threats & Beyond" [w] http://gsec.hitb.org/?p=134 => 0days included - don't use them at home, kids :) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists