version 1.0
Copyright © 2003 Baptiste SIMON <baptiste.simon @ e-glop.net>
16 mars 2004
Abstract
This document aims to give the keys for lambda users to upgrade their Spip-1.4.2, Spip-1.5.2 or Spip-1.6 to a patched fully-compatible version. The files on which we work on can be found at [ http://www.e-glop.net/dev/spip/ ]
Table of Contents
Patch to upgrade from SPIP-v1.4.2 to SPIP-v1.4.3
Patched file to replace in SPIP-v1.4.2 to upgrade to SPIP-v1.4.3
Patch to upgrade from SPIP-v1.5.2 to SPIP-v1.5.3
Patched file to replace in SPIP-v1.5.2 to upgrade to SPIP-v1.5.3
Patch to upgrade from SPIP-v1.6 to SPIP-v1.6.1
Patched file to replace in SPIP-v1.6 to upgrade to SPIP-v1.6.1
The official security announce
This "howto" in different formats.
You need :
a shell access to your website's sources,
the "patch" package installed. You can certainly found it in your distribution's packages manager as "patch". In anyway, this is the official *patch* website,
the "gzip" package installed. You can certainly found it in your distribution's packages manager as "gzip". In anyway, this is the official *gzip* website,
the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, this is the official *wget* website.
That is the way to patch your website's sources
$ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz (or whatever version you are running) $ zcat SPIP-v1-5-3.patch.gz | patch -p1
Replace the name 'SPIP-v1-5-3.patch.gz' with the patch version you need for your current Spip website.
Duplicate implicit target name: "needs".
You need
to be able to gunzip the files. If you're running any UNIX, try to find the gunzip command. If you don't find it, try to install it the way you use to do. The gunzip command can be found in the gzip package.
the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, this is the official *wget* website. If you are not using wget (because you prefer another software or because you're running the Microsoft OS), replace the wget command line by the software you prefer.
Duplicate implicit target name: "proceeding...".
To replace the vulnerable script in your website's sources, please download the pre-pathed file corresponding to your Spip version. The patched files can be found at URL like : 'http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz'. To find the file you need, please refer to the files listed at the top of this document.
Once you've got it, gunzip it and replace your website's 'inc-forum.php3' file with this one.
Here is a script example for UNIX users
$ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz (or whatever version you are running) $ gunzip SPIP-v1-5-3.inc-forum.php3.gz $ mv -f SPIP-v1-5-3.inc-forum.php3 inc-forum.php3
That's done !
Please verify if your website is protected against the forum.php3 vulnerability by trying to reproduce the scenario described in the cert© document that you can find here.
If your website is still vulnerable, please retry patching once again, and then, contact me and the spip development team to report your problem.
Baptiste SIMON <baptiste.simon @ e-glop.net>
Administrateur système GNU/Linux & UNIX
This document has been writen in RST with KWrite and then converted into DN-XML and Docbook with dn2dbk.xsl.
The XHTML, HTML and XSL-FO versions have been created with the official DocBook XSLT stylesheet [1]. The PDF, Postscript, RTF and plain text versions have been create with Jade.
Find all those formats here :
This document from www.e-glop.net is published under the Open Publication License. Permission is granted to copy, distribute and/or modify this document under the terms of the Open Publication License version 1.0.