Vulners
Lucene search
SPIP 3.1.2 Server Side Request Forgery
🗓️ 20 Oct 2016 00:00:00Reported by Nicolas ChatelainType 
packetstorm🔗 packetstormsecurity.com👁 37 Views
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | SPIP 3.1.2 Server Side Request Forgery Vulnerability | 20 Oct 201600:00 | – | zdt |
 | CVE-2016-7999 | 19 Oct 201621:11 | – | circl |
 | SPIP Cross-Site Request Forgery Vulnerability | 12 Oct 201600:00 | – | cnvd |
 | CVE-2016-7999 | 18 Jan 201717:00 | – | cve |
 | CVE-2016-7999 | 18 Jan 201717:00 | – | cvelist |
 | [SECURITY] [DLA 695-1] spip security update | 2 Nov 201622:00 | – | debian |
 | CVE-2016-7999 | 18 Jan 201717:00 | – | debiancve |
 | Debian DLA-695-1 : spip security update | 3 Nov 201600:00 | – | nessus |
| Linux Distros Unpatched Vulnerability : CVE-2016-7999 | 25 Aug 202500:00 | – | nessus |
 | EUVD-2016-8847 | 7 Oct 202500:30 | – | euvd |
10
`## SPIP 3.1.2 Server Side Request Forgery (CVE-2016-7999)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
It's possible to send HTTP/FTP requests using the `valider_xml` file.
Attackers can make it look like the server is sending the request, possibly bypassing access controls such as a firewall that would prevent the attacker from accessing the URLs directly.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-918
**CVSS Base Score**: 5.5 (Medium)
**CVE-ID**: CVE-2016-7999
### Proof of Concept
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=http://router-dev.srv/
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=ftp://ftp.debian.org/
### Vulnerable code
The FTP connection is initialized by the `is_dir` function inside `valider_xml`, line 79 :
if (is_dir($url)) {
Other PHP Wrappers supporting `is_dir` can be called using this function.
The HTTP connection is initiated at line 123:
$res = $transformer_xml(recuperer_page($url));
### Timeline (dd/mm/yyyy)
* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 27/09/2016 : Server Side Request Forgery vulnerability correct vulnerabilities.
* 30/09/2016 : SPIP 3.1.3 Released
### Fixes
* https://core.spip.net/projects/spip/repository/revisions/23188
* https://core.spip.net/projects/spip/repository/revisions/23193
### Affected versions
* Version <= 3.1.2
### Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <[email protected]>
GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Oct 2016 00:00Current
EPSS0.00748