Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNicolas ChatelainPACKETSTORM:139240
HistoryOct 20, 2016 - 12:00 a.m.

SPIP 3.1.2 Server Side Request Forgery

2016-10-2000:00:00
Nicolas Chatelain
packetstormsecurity.com
24

0.004 Low

EPSS

Percentile

75.1%

JSON
`## SPIP 3.1.2 Server Side Request Forgery (CVE-2016-7999)  
  
### Product Description  
  
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.  
  
### Vulnerability Description  
  
It's possible to send HTTP/FTP requests using the `valider_xml` file.  
Attackers can make it look like the server is sending the request, possibly bypassing access controls such as a firewall that would prevent the attacker from accessing the URLs directly.  
  
**Access Vector**: remote  
  
**Security Risk**: medium  
  
**Vulnerability**: CWE-918  
  
**CVSS Base Score**: 5.5 (Medium)  
  
**CVE-ID**: CVE-2016-7999  
  
### Proof of Concept  
  
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=http://router-dev.srv/  
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=ftp://ftp.debian.org/  
  
  
### Vulnerable code  
  
The FTP connection is initialized by the `is_dir` function inside `valider_xml`, line 79 :  
  
if (is_dir($url)) {  
  
Other PHP Wrappers supporting `is_dir` can be called using this function.  
  
The HTTP connection is initiated at line 123:  
  
$res = $transformer_xml(recuperer_page($url));  
  
### Timeline (dd/mm/yyyy)  
  
* 15/09/2016 : Initial discovery  
* 26/09/2016 : Contact with SPIP Team  
* 27/09/2016 : Answer from SPIP Team, sent advisory details  
* 27/09/2016 : Server Side Request Forgery vulnerability correct vulnerabilities.  
* 30/09/2016 : SPIP 3.1.3 Released  
  
### Fixes  
  
* https://core.spip.net/projects/spip/repository/revisions/23188  
* https://core.spip.net/projects/spip/repository/revisions/23193  
  
### Affected versions  
  
* Version <= 3.1.2  
  
### Credits  
  
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)  
  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
  
  
  
  
  
  
  
  
`

Related

zdt 1
debiancve 1
cve 1
ubuntucve 1
nvd 1
prion 1
osv 2
cvelist 1
debian 1
openvas 2
nessus 1
zdt
zdt
SPIP 3.1.2 Server Side Request Forgery Vulnerability
2016-10-20 00:00:00
debiancve
debiancve
CVE-2016-7999
2017-01-18 17:59:01
cve
cve
CVE-2016-7999
2017-01-18 17:59:01
ubuntucve
ubuntucve
CVE-2016-7999
2017-01-18 00:00:00
nvd
nvd
CVE-2016-7999
2017-01-18 17:59:01
prion
prion
Server side request forgery (ssrf)
2017-01-18 17:59:00
osv
osv
CVE-2016-7999
2017-01-18 17:59:01
spip - security update
2016-11-02 00:00:00
cvelist
cvelist
CVE-2016-7999
2017-01-18 17:00:00
debian
debian
[SECURITY] [DLA 695-1] spip security update
2016-11-02 22:00:02
openvas
openvas
Debian: Security Advisory (DLA-695-1)
2023-03-08 00:00:00
SPIP < 3.1.3 Multiple Vulnerabilities
2016-11-08 00:00:00
nessus
nessus
Debian DLA-695-1 : spip security update
2016-11-03 00:00:00

0.004 Low

EPSS

Percentile

75.1%

JSON
Related for PACKETSTORM:139240
zdt1debiancve1cve1ubuntucve1nvd1prion1osv2cvelist1debian1openvas2nessus1