Version 1.0 October 1996 CERT(R) Coordination Center Product Vulnerability Reporting Form If you know of a vulnerability in a product, please complete this form and return it to cert@cert.org. We aren't able to acknowledge each report we receive; however, if we have additional questions, we will contact you for further information. We prefer that any vulnerability information you send to us be encrypted. We can support a shared DES key or PGP. Contact the CERT staff for more information. The CERT PGP public key is available in http://www.cert.org/pgp/cert_pgp_key.asc Thanks, we appreciate your taking the time to report this vulnerability. CONTACT INFORMATION =============================================================================== Let us know who you are: Name : SIMON Baptiste (aka BeTa) E-mail : baptiste.simon@e-glop.net Phone / fax : +33 06 75 79 28 48 Affiliation and address: 3, avenue de la Calypso, 44000 Nantes, France Have you reported this to the vendor? [yes/no] yes If so, please let us know whom you've contacted: Date of your report : 14/03/2004 Vendor contact name : spip development mailing-list Vendor contact phone : n/a Vendor contact e-mail : spip-dev@rezo.net Vendor reference number : n/a POLICY INFO =============================================================================== We encourage communication between vendors and their customers. When we forward a report to the vendor, we include the reporter's name and contact information unless you let us know otherwise. If you want this report to remain anonymous, please check here: there is no problem about giving my contact informations. TECHNICAL INFO =============================================================================== If there is a CERT Vulnerability tracking number please put it here (otherwise leave blank): VU#______. Please describe the vulnerability. - ---------------------------------- What is the impact of this vulnerability? - ----------------------------------------- (For example: local user can gain root/privileged access, intruders can create root-owned files, denial of service attack, etc.) a) What is the specific impact: Remote users can execute any php code. Usually, this vulnerability can be easily used for exposure of sensitive information. In extrem cases, remote users can gain a total remote system access as the webserver's user or, combinated to other vulnerabilies (like the linux-kernel's mremap() one) a total remote system access. b) How would you envision it being used in an attack scenario: A user sends to the website a request containing malicious php-code inside (it can be quite easy, because this can be done through a simple form which can be found as http://you.web.site/your/spip/dir/forum.php3) For more information, it can be exploited by writing more than 10 chars in the "text" field, and something like "" in the fields "URL" or "Email". This php code can get back some files (like /etc/passwd or /etc/apache/conf/httpd.conf or files containing database passwords or things like that) or execute some simple commands. In the case where the system is not totally up-to-date, an other vulnerability can be exploited. For example, on a system which runs the linux-2.4.22 kernel, the remote user can ask php to download a binary which can exploit the mremap() vulnerability... and then execute it on the webserver. Then he gets a root access. To your knowledge is the vulnerability currently being exploited? - ----------------------------------------------------------------- yes If there is an exploitation script available, please include it here. - --------------------------------------------------------------------- There is no script available, because this needs a target that I have not... please refer to the scenario I've described before. Do you know what systems and/or configurations are vulnerable? - -------------------------------------------------------------- [yes/no] (If yes, please list them below) System : all OS version : all Verified/Guessed: Guessed for many, and verified on many linux-2.4.x running Debian/GNU/Linux and Spip < 1.7 (installed from scratch, from the spip's website [ http://www.spip.net/ ]) Are you aware of any workarounds and/or fixes for this vulnerability? - --------------------------------------------------------------------- yes you can find a patch here (do not make this publicly known, this is a slow bandwidth connection) : - patch for v1.5.2 [ http://www.e-glop.net/divers/SPIP-v1-5-3.patch.gz ] - patch for v1.6 [ http://www.e-glop.net/divers/SPIP-v1-6-1.patch.gz ] the md5 are : be09a75583fcd8c1ef54f64d7cbd0881 SPIP-v1-5-3.patch.gz b85bf68456393ffcd6b69e0cce420fe1 SPIP-v1-6-1.patch.gz OTHER INFORMATION =========================================================================== I'm contacting cert.org because the usual way (through the project's developpers) has not been successful. You can also know that I think that all spip versions < 1.7 are potentially compromised, even if I've only tested it on v1.6 and v1.5.2. Thanks for your comprehension. - -------- CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark office.