Lucene search
K

SPIP 3.1.2 Cross Site Scripting

🗓️ 19 Oct 2016 00:00:00Reported by Nicolas ChatelainType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 34 Views

SPIP 3.1.2 Reflected XSS in valider_xml.ph

Related
Code
ReporterTitlePublishedViews
Family
0day.today
SPIP 3.1.2 Cross Site Scripting Vulnerability
20 Oct 201600:00
zdt
Circl
CVE-2016-7981
19 Oct 201620:44
circl
CNVD
SPIP cross-site scripting vulnerability (CNVD-2016-09663)
12 Oct 201600:00
cnvd
CVE
CVE-2016-7981
18 Jan 201717:00
cve
Cvelist
CVE-2016-7981
18 Jan 201717:00
cvelist
Debian
[SECURITY] [DLA 695-1] spip security update
2 Nov 201622:00
debian
Debian CVE
CVE-2016-7981
18 Jan 201717:00
debiancve
Tenable Nessus
Debian DLA-695-1 : spip security update
3 Nov 201600:00
nessus
Tenable Nessus
Linux Distros Unpatched Vulnerability : CVE-2016-7981
25 Aug 202500:00
nessus
Nuclei
SPIP <3.1.2 - Cross-Site Scripting
4 Jul 202603:00
nuclei
Rows per page
`## SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)  
  
### Product Description  
  
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.  
  
### Vulnerability Description  
  
The `var_url` parameter of the `valider_xml` file is not correctly sanitized and can be used to trigger a reflected XSS vulnerability.  
  
**Access Vector**: remote  
  
**Security Risk**: medium  
  
**Vulnerability**: CWE-79  
  
**CVSS Base Score**: 6.8 (Medium)  
  
**CVE-ID**: CVE-2016-7981  
  
### Proof of Concept  
  
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=%22%3E%3Ch1%3EXSS!%3C/h1%3E  
  
### Vulnerable code  
  
The `$url variable` is not properly sanitized in `valider_xml.php`, line 134 :  
  
$res =  
"<div style='text-align: center'>" . $err . "</div>" .  
"<div style='margin: 10px; text-align: left'>" . $texte . '</div>';  
$bandeau = "<a href='$url_aff'>$url</a>";  
  
The Cross-Site Scripting vulnerability is triggered on line 146 :  
  
echo "<h1>", $titre, '<br>', $bandeau, '</h1>',  
  
  
### Timeline (dd/mm/yyyy)  
  
* 15/09/2016 : Initial discovery  
* 26/09/2016 : Contact with SPIP Team  
* 27/09/2016 : Answer from SPIP Team, sent advisory details  
* 27/09/2016 : Incorrect fix from SPIP Team.  
* 27/09/2016 : New proof of concept for bypassing fixes for XSS sent.  
* 27/09/2016 : Fixes issued for XSS (23185).  
* 30/09/2016 : SPIP 3.1.3 Released  
  
### Fixes  
  
* https://core.spip.net/projects/spip/repository/revisions/23200  
* https://core.spip.net/projects/spip/repository/revisions/23201  
* https://core.spip.net/projects/spip/repository/revisions/23202  
  
  
### Affected versions  
  
* Version <= 3.1.2  
  
### Credits  
  
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)  
  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation