ZRCSA-200601.txt

`Zone-H Research Center Security Advisory 200601  
http://www.zone-h.fr  
  
Date of release: 31/01/2006  
Software: SPIP (http://www.spip.net)  
Affected versions: < 1.8.2-e , < 1.9 Alpha 2 (5539)  
Risk: Medium  
Discovered by: Kevin Fernandez "Siegfried" and Benoît Sklénard  
"netcraft" from the Zone-H Research Team  
  
Background  
----------  
SPIP is a publishing system for the Internet.  
Come again? It consists of a bundle of files, installed in your web  
account and allowing you to take advantage of a number of automated  
tasks: multi-user management, laying out your articles without the  
need to use HTML, easily modifying the structure of your site. From  
the very same application used to browse a site (Netscape, Microsoft  
Internet Explorer, Mozilla, Opera...), SPIP enables you to build and  
update a site, thanks to a very simple user interface.  
  
Details  
--------  
Some sql injections and cross-site scripting vulnerabilities have been  
discovered.  
  
-When we contacted the vendor, he already had fixed some of them:  
multiple sql injections exploitable in the administrative area.  
  
The ones which weren't fixed when we contacted him were the sql  
injections in the forum (public area).  
  
in formulaires/inc-formulaire_forum.php3 :  
// recuperer les donnees du forum auquel on repond, false = forum interdit  
list ($idr, $idf, $ida, $idb, $ids) = $args;  
if (!$r = sql_recherche_donnees_forum ($idr, $idf, $ida, $idb, $ids))  
return '';  
  
It is exploitable via forum.php3 , example:  
/forum.php3?id_article=1&id_forum=-1/**/UNION/**/SELECT%20pass%20from%20spip_auteurs/*  
or with any other variable (id_article, id_breve..) like:  
/forum.php3?id_article=-1/**/UNION/**/SELECT%20pass%20from%20spip_auteurs/*  
  
It is exploitable like this with magic_quotes_gpc on or off.  
  
A full path disclosure problem was present in inc-messforum.php3 when  
accessing it directly, let's say the spip path is /var/www/spip , it  
could then be used to exploit the sql injection (if magic_quotes_gpc  
is off) to inject php code in a writable directory(The "IMG" folder,  
like 3 others, are writable by default).  
  
So if magic_quotes_gpc = Off , Display_errors = On and SPIP is version  
1.8.2 or prior, it can be exploited to compromise a vulnerable system.  
  
The vendor also discovered 2 potential sql injections in the session  
handling and when posting "petitions" (maybe others).  
  
-We also notified the vendor of a xss problem, it isn't fixed.  
index.php3?lang=">xss  
  
Solution  
---------  
The sql injection vulnerabilities have been fixed in the latest svn  
snapshot (5546): svn://trac.rezo.net/spip/spip  
or here: http://trac.rezo.net/files/spip/spip.zip  
  
Original advisories:  
English: http://www.zone-h.org/en/advisories/read/id=8650/  
French: http://www.zone-h.fr/fr/advisories/read/id=874/  
`