## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982) ### Product Description SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence. ### Vulnerability Description The `valider_xml` file can be used to enumerate files on the system. **Access Vector**: remote **Security Risk**: medium **Vulnerability**: CWE-538 **CVSS Base Score**: 4.9 (Medium) **CVE-ID**: CVE-2016-7982 ### Proof of Concept Enumerating `.ini` files inside `/etc` (SPIP 3.1.1) : http://ift.tt/2efE58x Bypassing SPIP 3.1.2 protection using PHP Wrappers : http://ift.tt/2dRo31Z ### Vulnerable code if (is_dir($url)) { $dir = (substr($url, -1, 1) === '/') ? $url : "$url/"; $ext = !preg_match('/^[.*\w]+$/', $req_ext) ? 'php' : $req_ext; $files = preg_files($dir, "$ext$", $limit, $rec); if (!$files and $ext !== 'html') { $files = preg_files($dir, 'html$', $limit, $rec); if ($files) { $ext = 'html'; } } if ($files) { $res = valider_dir($files, $ext, $url); list($err, $res) = valider_resultats($res, $ext === 'html'); File names are stored in `$res` and displayed by `echo` on line 146 : echo "
", $titre, '
', $bandeau, '
', "
", $onfocus, "
", $res, fin_page(); ### Timeline (dd/mm/yyyy) * 15/09/2016 : Initial discovery * 26/09/2016 : Contact with SPIP Team * 27/09/2016 : Answer from SPIP Team, sent advisory details * 27/09/2016 : Incorrect fixes for Path Traversal * 27/09/2016 : New proof of concept for bypassing Path Traversal sent. * 27/09/2016 : Bad fix for Path Traversal (23185) * 28/09/2016 : New proof of concept for bypassing fixes for Path Traversal on Windows systems. * 28/09/2016 : Fixes issued Path Traversal (23200) * 30/09/2016 : SPIP 3.1.3 Released ### Fixes * http://ift.tt/2diDCiu * http://ift.tt/2cFPvBd * http://ift.tt/2cFQbGC * http://ift.tt/2dt0zm9 * http://ift.tt/2d44Eun * http://ift.tt/2dt1cMd * http://ift.tt/2dh6SUN * http://ift.tt/2cIpeAL * http://ift.tt/2dh6B42 * http://ift.tt/2cIp8sM * http://ift.tt/2d3G4gs * http://ift.tt/2dgWnks * http://ift.tt/2cS91Xg * http://ift.tt/2cS8fJz ### Affected versions * Version <= 3.1.2 ### Credits * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment