=========================================== Patching Spip for forum.php3 vulnerability =========================================== :Author: Baptiste SIMON (aka BeTa) :Organization: e-glop.net :Contact: beta@e-glop.net :Date: 16 mars 2004 :Copyright: Copyright© 2003, Baptiste SIMON :Address: Nantes, France, Europe :Version: version 1.0 :Abstract: This document aims to give the keys for lambda users to upgrade their Spip-1.4.2, Spip-1.5.2 or Spip-1.6 to a patched fully-compatible version. The files on which we work on can be found at [ http://www.e-glop.net/dev/spip/ ] ------------------ Files description ------------------ `http://www.e-glop.net/dev/spip/SPIP-v1-4-3.patch.gz`_ Patch to upgrade from SPIP-v1.4.2 to SPIP-v1.4.3 `http://www.e-glop.net/dev/spip/SPIP-v1-4-3.inc-forum.php3.gz`_ Patched file to replace in SPIP-v1.4.2 to upgrade to SPIP-v1.4.3 `http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz`_ Patch to upgrade from SPIP-v1.5.2 to SPIP-v1.5.3 `http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz`_ Patched file to replace in SPIP-v1.5.2 to upgrade to SPIP-v1.5.3 `http://www.e-glop.net/dev/spip/SPIP-v1-6-1.patch.gz`_ Patch to upgrade from SPIP-v1.6 to SPIP-v1.6.1 `http://www.e-glop.net/dev/spip/SPIP-v1-6-1.inc-forum.php3.gz`_ Patched file to replace in SPIP-v1.6 to upgrade to SPIP-v1.6.1 `http://www.e-glop.net/dev/spip/spip-cert.txt`_ The official security announce http://www.e-glop.net/dev/spip/upgrading.* This "howto" in different formats. .. _`http://www.e-glop.net/dev/spip/SPIP-v1-4-3.patch.gz`: http://www.e-glop.net/dev/spip/SPIP-v1-4-3.patch.gz .. _`http://www.e-glop.net/dev/spip/SPIP-v1-4-3.inc-forum.php3.gz`: http://www.e-glop.net/dev/spip/SPIP-v1-4-3.inc-forum.php3.gz .. _`http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz`: http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz` .. _`http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz`: http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz .. _`http://www.e-glop.net/dev/spip/SPIP-v1-6-1.patch.gz`: http://www.e-glop.net/dev/spip/SPIP-v1-6-1.patch.gz .. _`http://www.e-glop.net/dev/spip/SPIP-v1-6-1.inc-forum.php3.gz`: http://www.e-glop.net/dev/spip/SPIP-v1-6-1.inc-forum.php3.gz .. _`http://www.e-glop.net/dev/spip/spip-cert.txt`: http://www.e-glop.net/dev/spip/spip-cert.txt -------------------------------------------------------- Upgrading from patch (the *regular* and prefered choice) -------------------------------------------------------- Needs ====== You need : - a shell access to your website's sources, - the "patch" package installed. You can certainly found it in your distribution's packages manager as "patch". In anyway, `this is the official *patch* website`_, - the "gzip" package installed. You can certainly found it in your distribution's packages manager as "gzip". In anyway, `this is the official *gzip* website`, - the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, `this is the official *wget* website`. .. _`this is the official *patch* website`: http://www.gnu.org/software/patch/patch.html .. _`this is the official *gzip* website`: http://www.gnu.org/software/gzip/gzip.html .. _`this is the official *wget* website`: http://www.cg.tuwien.ac.at/~prikryl/wget.html Proceeding... ============== That is the way to patch your website's sources :: $ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz (or whatever version you are running) $ zcat SPIP-v1-5-3.patch.gz | patch -p1 Replace the name 'SPIP-v1-5-3.patch.gz' with the patch version you need for your current Spip website. --------------------------- Upgrading without patching --------------------------- Needs ====== You need - to be able to gunzip the files. If you're running any UNIX, try to find the gunzip command. If you don't find it, try to install it the way you use to do. The gunzip command can be found in the `gzip package`_. - the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, `this is the official *wget* website`. If you are not using wget (because you prefer another software or because you're running the Microsoft OS), replace the wget command line by the software you prefer. .. _`gzip package`: http://www.gnu.org/software/gzip/gzip.html Proceeding... ============== To replace the vulnerable script in your website's sources, please download the pre-pathed file corresponding to your Spip version. The patched files can be found at URL like : 'http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz'. To find the file you need, please refer to the files listed at the top of this document. Once you've got it, gunzip it and replace your website's 'inc-forum.php3' file with this one. Here is a script example for UNIX users :: $ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz (or whatever version you are running) $ gunzip SPIP-v1-5-3.inc-forum.php3.gz $ mv -f SPIP-v1-5-3.inc-forum.php3 inc-forum.php3 ------- And... ------- That's done ! Please verify if your website is protected against the forum.php3 vulnerability by trying to reproduce the scenario described in the cert© document that you can find `here`_. If your website is still vulnerable, please retry patching once again, and then, contact `me`_ and `the spip development team`_ to report your problem. .. _`here`: http://www.e-glop.net/dev/spip/spip-cert.txt .. _`me`: mailto:bs-public_NOSPAM_e-glop.net .. _`the spip development team`: mailto:spip-dev_NOSPAM_rezo.net -------- Annexes -------- The author =========== `Baptiste SIMON`_ <`baptiste.simon @ e-glop.net`_> Administrateur système GNU/Linux & UNIX `In the search of an employment`_ .. _`Baptiste SIMON`: http://www.e-glop.net/ .. _`baptiste.simon @ e-glop.net`: mailto:baptiste.simon_NOSPAM_e-glop.net .. _`In the search of an employment`: http://www.e-glop.net/cv/ This document other formats ============================ This document has been writen in `RST`_ with KWrite and then converted into DN-XML and Docbook with `dn2dbk.xsl`_. The XHTML, HTML and XSL-FO versions have been created with the official DocBook XSLT stylesheet [4]_. The PDF, Postscript, RTF and plain text versions have been create with `Jade`_. .. _`RST`: http://docutils.sourceforge.net/ .. _`dn2dbk.xsl`: http://membres.lycos.fr/ebellot/dn2dbk/ .. _`Jade`: http://openjade.sourceforge.net/ Find all those formats here : - `XHTML`_ - `HTML`_ - `PDF`_ - `postcript`_ - `Texte brut`_ - `RTF`_ - `reStructuredText`_ - `DocBook - XML`_ - `DN-XML`_ - `XSL-FO`_ .. _`XHTML`: http://www.e-glop.net/dev/spip/upgrading.xhtml .. _`HTML`: http://www.e-glop.net/dev/spip/upgrading.html .. _`PDF`: http://www.e-glop.net/dev/spip/upgrading.pdf .. _`postcript`: http://www.e-glop.net/dev/spip/upgrading.ps .. _`Texte brut`: http://www.e-glop.net/dev/spip/upgrading.txt .. _`RTF`: http://www.e-glop.net/dev/spip/upgrading.rtf .. _`reStructuredText`: http://www.e-glop.net/dev/spip/upgrading.rst .. _`DocBook - XML`: http://www.e-glop.net/dev/spip/upgrading.db-xml .. _`DN-XML`: http://www.e-glop.net/dev/spip/upgrading.dn-xml .. _`XSL-FO`: http://www.e-glop.net/dev/spip/upgrading.fo .. [4] The `app-text/docbook-xsl-stylesheets`_ package on Gentoo-Linux .. _`app-text/docbook-xsl-stylesheets`: http://www.oasis-open.org/docbook Publication License ==================== This document from `www.e-glop.net`_ is published under the `Open Publication License`_. Permission is granted to copy, distribute and/or modify this document under the terms of the `Open Publication License`_ version 1.0. .. _`www.e-glop.net`: http://www.e-glop.net/ .. _`Open Publication License`: http://www.opencontent.org/openpub/