Patching Spip for forum.php3 vulnerability

Nantes, France, Europe

version 1.0AbstractThis document aims to give the keys for lambda users to upgrade their Spip-1.4.2, Spip-1.5.2 or Spip-1.6 to a patched fully-compatible version. The files on which we work on can be found at [ http://www.e-glop.net/dev/spip/ ]

Files descriptionhttp://www.e-glop.net/dev/spip/SPIP-v1-4-3.patch.gzPatch to upgrade from SPIP-v1.4.2 to SPIP-v1.4.3http://www.e-glop.net/dev/spip/SPIP-v1-4-3.inc-forum.php3.gzPatched file to replace in SPIP-v1.4.2 to upgrade to SPIP-v1.4.3http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gzPatch to upgrade from SPIP-v1.5.2 to SPIP-v1.5.3http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gzPatched file to replace in SPIP-v1.5.2 to upgrade to SPIP-v1.5.3http://www.e-glop.net/dev/spip/SPIP-v1-6-1.patch.gzPatch to upgrade from SPIP-v1.6 to SPIP-v1.6.1http://www.e-glop.net/dev/spip/SPIP-v1-6-1.inc-forum.php3.gzPatched file to replace in SPIP-v1.6 to upgrade to SPIP-v1.6.1http://www.e-glop.net/dev/spip/spip-cert.txtThe official security announcehttp://www.e-glop.net/dev/spip/upgrading.*This "howto" in different formats.

Upgrading from patch (the <emphasis>regular</emphasis> and prefered choice)

NeedsYou need :a shell access to your website's sources,the "patch" package installed. You can certainly found it in your distribution's packages manager as "patch". In anyway, this is the official *patch* website,the "gzip" package installed. You can certainly found it in your distribution's packages manager as "gzip". In anyway, this is the official *gzip* website,the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, this is the official *wget* website.

Proceeding...That is the way to patch your website's sources$ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz (or whatever version you are running) $ zcat SPIP-v1-5-3.patch.gz | patch -p1Replace the name 'SPIP-v1-5-3.patch.gz' with the patch version you need for your current Spip website.

Upgrading without patching

NeedsDuplicate implicit target name: "needs".You needto be able to gunzip the files. If you're running any UNIX, try to find the gunzip command. If you don't find it, try to install it the way you use to do. The gunzip command can be found in the gzip package.the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, this is the official *wget* website. If you are not using wget (because you prefer another software or because you're running the Microsoft OS), replace the wget command line by the software you prefer.

Proceeding...Duplicate implicit target name: "proceeding...".To replace the vulnerable script in your website's sources, please download the pre-pathed file corresponding to your Spip version. The patched files can be found at URL like : 'http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz'. To find the file you need, please refer to the files listed at the top of this document.Once you've got it, gunzip it and replace your website's 'inc-forum.php3' file with this one.Here is a script example for UNIX users$ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz (or whatever version you are running) $ gunzip SPIP-v1-5-3.inc-forum.php3.gz $ mv -f SPIP-v1-5-3.inc-forum.php3 inc-forum.php3

And...That's done !Please verify if your website is protected against the forum.php3 vulnerability by trying to reproduce the scenario described in the cert© document that you can find here.If your website is still vulnerable, please retry patching once again, and then, contact me and the spip development team to report your problem.

Annexes

The authorBaptiste SIMON <baptiste.simon @ e-glop.net>Administrateur système GNU/Linux & UNIXIn the search of an employment

This document other formatsThis document has been writen in RST with KWrite and then converted into DN-XML and Docbook with dn2dbk.xsl.The XHTML, HTML and XSL-FO versions have been created with the official DocBook XSLT stylesheet 4. The PDF, Postscript, RTF and plain text versions have been create with Jade.Find all those formats here :XHTMLHTMLPDFpostcriptTexte brutRTFreStructuredTextDocBook - XMLDN-XMLXSL-FO4The app-text/docbook-xsl-stylesheets package on Gentoo-Linux

Publication LicenseThis document from www.e-glop.net is published under the Open Publication License. Permission is granted to copy, distribute and/or modify this document under the terms of the Open Publication License version 1.0.