SPIP 3.1.2 Cross Site Scripting

SPIP 3.1.2 Cross Site Scripting: Posted Oct 19, 2016; Authored by Nicolas Chatelain; SPIP versions 3.1.2 and below suffer from a cross site scripting vulnerability.; tags | exploit, xss; advisories | CVE-2016-7981; SHA-256 | 82f26ce8d2e06a0310943f86601d4af8ea95702997bd1830df30452763eead8f; Download | Favorite | View

SPIP 3.1.2 Cross Site Scripting

## SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)

### Product Description

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.

### Vulnerability Description

The `var_url` parameter of the `valider_xml` file is not correctly sanitized and can be used to trigger a reflected XSS vulnerability.

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-79

**CVSS Base Score**: 6.8 (Medium)

**CVE-ID**: CVE-2016-7981

### Proof of Concept

    http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=%22%3E%3Ch1%3EXSS!%3C/h1%3E

### Vulnerable code

The `$url variable` is not properly sanitized in `valider_xml.php`, line 134 :

    $res =
      "<div style='text-align: center'>" . $err . "</div>" .
      "<div style='margin: 10px; text-align: left'>" . $texte . '</div>';
    $bandeau = "<a href='$url_aff'>$url</a>";

The Cross-Site Scripting vulnerability is triggered on line 146 :

    echo "<h1>", $titre, '<br>', $bandeau, '</h1>',


### Timeline (dd/mm/yyyy)

* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 27/09/2016 : Incorrect fix from SPIP Team.
* 27/09/2016 : New proof of concept for bypassing fixes for XSS sent.
* 27/09/2016 : Fixes issued for XSS (23185).
* 30/09/2016 : SPIP 3.1.3 Released

### Fixes

* https://core.spip.net/projects/spip/repository/revisions/23200
* https://core.spip.net/projects/spip/repository/revisions/23201
* https://core.spip.net/projects/spip/repository/revisions/23202


### Affected versions

* Version <= 3.1.2

### Credits

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)


-- 
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Top Authors In Last 30 Days

Red Hat 235 files
Ubuntu 70 files
indoushka 69 files
Debian 22 files
LiquidWorm 19 files
Google Security Research 8 files
Gentoo 7 files
malvuln 6 files
Seth Jenkins 4 files
Emiliano Febbi 4 files

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,147)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,676)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,132)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,946)
UNIX (9,472)
UnixWare (188)
Windows (6,784)
Other

SPIP 3.1.2 Cross Site Scripting

SPIP 3.1.2 Cross Site Scripting

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SPIP 3.1.2 Cross Site Scripting

Share This

SPIP 3.1.2 Cross Site Scripting

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems