Patching Spip for forum.php3 vulnerability

Patching Spip for forum.php3 vulnerabilityBaptiste SIMON (aka BeTa), e-glop.netversion 1.0Copyright © 2003 Baptiste SIMON <baptiste.simon @ e-glop.net>16 mars 2004This document aims to give the keys for lambda users to upgrade their Spip-1.4.2, Spip-1.5.2 or Spip-1.6 to a patched fully-compatible version. The files on which we work on can be found at [ http://www.e-glop.net/dev/spip/ ]Table of Contents

Files description

Upgrading from patch (the regular and prefered choice)

Needs

Proceeding...

Upgrading without patching

Needs

Proceeding...

And...

Annexes

The author

This document other formats

Publication License

Files descriptionFiles description

http://www.e-glop.net/dev/spip/SPIP-v1-4-3.patch.gz

Patch to upgrade from SPIP-v1.4.2 to SPIP-v1.4.3

http://www.e-glop.net/dev/spip/SPIP-v1-4-3.inc-forum.php3.gz

Patched file to replace in SPIP-v1.4.2 to upgrade to SPIP-v1.4.3

http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz

[http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz`]

Patch to upgrade from SPIP-v1.5.2 to SPIP-v1.5.3

http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz

Patched file to replace in SPIP-v1.5.2 to upgrade to SPIP-v1.5.3

http://www.e-glop.net/dev/spip/SPIP-v1-6-1.patch.gz

Patch to upgrade from SPIP-v1.6 to SPIP-v1.6.1

http://www.e-glop.net/dev/spip/SPIP-v1-6-1.inc-forum.php3.gz

Patched file to replace in SPIP-v1.6 to upgrade to SPIP-v1.6.1

http://www.e-glop.net/dev/spip/spip-cert.txt

The official security announce

http://www.e-glop.net/dev/spip/upgrading.*

This "howto" in different formats.

Upgrading from patch (the regular and prefered choice)Upgrading from patch (the regular and prefered choice)NeedsNeedsYou need :

•

a shell access to your website's sources,

•

the "patch" package installed. You can certainly found it in your distribution's packages manager as "patch". In anyway, this is the official *patch* website [http://www.gnu.org/software/patch/patch.html],

•

the "gzip" package installed. You can certainly found it in your distribution's packages manager as "gzip". In anyway, this is the official *gzip* website,

•

the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, this is the official *wget* website.

Proceeding...Proceeding...That is the way to patch your website's sources$ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz (or whatever version you are running) $ zcat SPIP-v1-5-3.patch.gz | patch -p1Replace the name 'SPIP-v1-5-3.patch.gz' with the patch version you need for your current Spip website.Upgrading without patchingUpgrading without patchingNeedsNeedsDuplicate implicit target name: "needs".You need

•

to be able to gunzip the files. If you're running any UNIX, try to find the gunzip command. If you don't find it, try to install it the way you use to do. The gunzip command can be found in the gzip package [http://www.gnu.org/software/gzip/gzip.html].

•

the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, this is the official *wget* website. If you are not using wget (because you prefer another software or because you're running the Microsoft OS), replace the wget command line by the software you prefer.

Proceeding...Proceeding...Duplicate implicit target name: "proceeding...".To replace the vulnerable script in your website's sources, please download the pre-pathed file corresponding to your Spip version. The patched files can be found at URL like : 'http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz'. To find the file you need, please refer to the files listed at the top of this document.Once you've got it, gunzip it and replace your website's 'inc-forum.php3' file with this one.Here is a script example for UNIX users$ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz (or whatever version you are running) $ gunzip SPIP-v1-5-3.inc-forum.php3.gz $ mv -f SPIP-v1-5-3.inc-forum.php3 inc-forum.php3And...And...That's done !Please verify if your website is protected against the forum.php3 vulnerability by trying to reproduce the scenario described in the cert© document that you can find here [http://www.e-glop.net/dev/spip/spip-cert.txt].If your website is still vulnerable, please retry patching once again, and then, contact me [mailto:bs-public_NOSPAM_e-glop.net] and the spip development team [mailto:spip-dev_NOSPAM_rezo.net] to report your problem.AnnexesAnnexesThe authorThe author

Baptiste SIMON

[http://www.e-glop.net/] <baptiste.simon @ e-glop.net [mailto:baptiste.simon_NOSPAM_e-glop.net]>Administrateur système GNU/Linux & UNIX

In the search of an employment

[http://www.e-glop.net/cv/] This document other formatsThis document other formatsThis document has been writen in RST [http://docutils.sourceforge.net/] with KWrite and then converted into DN-XML and Docbook with dn2dbk.xsl [http://membres.lycos.fr/ebellot/dn2dbk/].The XHTML, HTML and XSL-FO versions have been created with the official DocBook XSLT stylesheet 1

1The app-text/docbook-xsl-stylesheets [http://www.oasis-open.org/docbook] package on Gentoo-Linux

. The PDF, Postscript, RTF and plain text versions have been create with Jade [http://openjade.sourceforge.net/].Find all those formats here :

•

XHTML

[http://www.e-glop.net/dev/spip/upgrading.xhtml]

•

HTML

[http://www.e-glop.net/dev/spip/upgrading.html]

•

PDF

[http://www.e-glop.net/dev/spip/upgrading.pdf]

•

postcript

[http://www.e-glop.net/dev/spip/upgrading.ps]

•

Texte brut

[http://www.e-glop.net/dev/spip/upgrading.txt]

•

RTF

[http://www.e-glop.net/dev/spip/upgrading.rtf]

•

reStructuredText

[http://www.e-glop.net/dev/spip/upgrading.rst]

•

DocBook - XML

[http://www.e-glop.net/dev/spip/upgrading.db-xml]

•

DN-XML

[http://www.e-glop.net/dev/spip/upgrading.dn-xml]

•

XSL-FO

[http://www.e-glop.net/dev/spip/upgrading.fo]

Publication LicensePublication LicenseThis document from www.e-glop.net [http://www.e-glop.net/] is published under the Open Publication License [http://www.opencontent.org/openpub/]. Permission is granted to copy, distribute and/or modify this document under the terms of the Open Publication License [http://www.opencontent.org/openpub/] version 1.0.