Patching Spip for forum.php3 vulnerability Baptiste SIMON (aka BeTa) e-glop.net version 1.0 Copyright (c) 2003 Baptiste SIMON 16 mars 2004 This document aims to give the keys for lambda users to upgrade their Spip-1.4.2, Spip-1.5.2 or Spip-1.6 to a patched fully-compatible version. The files on which we work on can be found at [ [1]http://www.e-glop.net/dev/spip/ ] --------------------------------------------------------------------------- Table of Contents 1. [2]Files description 2. [3]Upgrading from patch (the regular and prefered choice) 2.1. [4]Needs 2.2. [5]Proceeding... 3. [6]Upgrading without patching 3.1. [7]Needs 3.2. [8]Proceeding... 4. [9]And... 5. [10]Annexes 5.1. [11]The author 5.2. [12]This document other formats 5.3. [13]Publication License 1. Files description [14]http://www.e-glop.net/dev/spip/SPIP-v1-4-3.patch.gz Patch to upgrade from SPIP-v1.4.2 to SPIP-v1.4.3 [15]http://www.e-glop.net/dev/spip/SPIP-v1-4-3.inc-forum.php3.gz Patched file to replace in SPIP-v1.4.2 to upgrade to SPIP-v1.4.3 [16]http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz Patch to upgrade from SPIP-v1.5.2 to SPIP-v1.5.3 [17]http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz Patched file to replace in SPIP-v1.5.2 to upgrade to SPIP-v1.5.3 [18]http://www.e-glop.net/dev/spip/SPIP-v1-6-1.patch.gz Patch to upgrade from SPIP-v1.6 to SPIP-v1.6.1 [19]http://www.e-glop.net/dev/spip/SPIP-v1-6-1.inc-forum.php3.gz Patched file to replace in SPIP-v1.6 to upgrade to SPIP-v1.6.1 [20]http://www.e-glop.net/dev/spip/spip-cert.txt The official security announce [21]http://www.e-glop.net/dev/spip/upgrading.* This "howto" in different formats. --------------------------------------------------------------------------- 2. Upgrading from patch (the regular and prefered choice) 2.1. Needs You need : * a shell access to your website's sources, * the "patch" package installed. You can certainly found it in your distribution's packages manager as "patch". In anyway, [22]this is the official *patch* website, * the "gzip" package installed. You can certainly found it in your distribution's packages manager as "gzip". In anyway, this is the official *gzip* website, * the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, this is the official *wget* website. --------------------------------------------------------------------------- 2.2. Proceeding... That is the way to patch your website's sources $ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz (or whatever version you are running) $ zcat SPIP-v1-5-3.patch.gz | patch -p1 Replace the name 'SPIP-v1-5-3.patch.gz' with the patch version you need for your current Spip website. --------------------------------------------------------------------------- 3. Upgrading without patching 3.1. Needs Duplicate implicit target name: "needs". You need * to be able to gunzip the files. If you're running any UNIX, try to find the gunzip command. If you don't find it, try to install it the way you use to do. The gunzip command can be found in the [23]gzip package. * the "wget" package is also recommanded. You can certainly found it in your distribution's packages manager as "wget". In anyway, this is the official *wget* website. If you are not using wget (because you prefer another software or because you're running the Microsoft OS), replace the wget command line by the software you prefer. --------------------------------------------------------------------------- 3.2. Proceeding... Duplicate implicit target name: "proceeding...". To replace the vulnerable script in your website's sources, please download the pre-pathed file corresponding to your Spip version. The patched files can be found at URL like : '[24]http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz'. To find the file you need, please refer to the files listed at the top of this document. Once you've got it, gunzip it and replace your website's 'inc-forum.php3' file with this one. Here is a script example for UNIX users $ cd /path/to/your/spip/dir $ wget http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz (or whatever version you are running) $ gunzip SPIP-v1-5-3.inc-forum.php3.gz $ mv -f SPIP-v1-5-3.inc-forum.php3 inc-forum.php3 --------------------------------------------------------------------------- 4. And... That's done ! Please verify if your website is protected against the forum.php3 vulnerability by trying to reproduce the scenario described in the cert(c) document that you can find [25]here. If your website is still vulnerable, please retry patching once again, and then, contact [26]me and [27]the spip development team to report your problem. --------------------------------------------------------------------------- 5. Annexes 5.1. The author [28]Baptiste SIMON <[29]baptiste.simon @ e-glop.net> Administrateur systeme GNU/Linux & UNIX [30]In the search of an employment --------------------------------------------------------------------------- 5.2. This document other formats This document has been writen in [31]RST with KWrite and then converted into DN-XML and Docbook with [32]dn2dbk.xsl. The XHTML, HTML and XSL-FO versions have been created with the official DocBook XSLT stylesheet [33][1]. The PDF, Postscript, RTF and plain text versions have been create with [34]Jade. Find all those formats here : * [35]XHTML * [36]HTML * [37]PDF * [38]postcript * [39]Texte brut * [40]RTF * [41]reStructuredText * [42]DocBook - XML * [43]DN-XML * [44]XSL-FO --------------------------------------------------------------------------- 5.3. Publication License This document from [45]www.e-glop.net is published under the [46]Open Publication License. Permission is granted to copy, distribute and/or modify this document under the terms of the [47]Open Publication License version 1.0. Notes [48][1] The [49]app-text/docbook-xsl-stylesheets package on Gentoo-Linux References Visible links 1. http://www.e-glop.net/dev/spip/ 2. file:///tmp/html-H5X8Tb#files-description 3. file:///tmp/html-H5X8Tb#upgrading-from-patch-the-regular-and-prefered-choice 4. file:///tmp/html-H5X8Tb#needs 5. file:///tmp/html-H5X8Tb#proceeding 6. file:///tmp/html-H5X8Tb#upgrading-without-patching 7. file:///tmp/html-H5X8Tb#id1 8. file:///tmp/html-H5X8Tb#id2 9. file:///tmp/html-H5X8Tb#and 10. file:///tmp/html-H5X8Tb#annexes 11. file:///tmp/html-H5X8Tb#the-author 12. file:///tmp/html-H5X8Tb#this-document-other-formats 13. file:///tmp/html-H5X8Tb#publication-license 14. http://www.e-glop.net/dev/spip/SPIP-v1-4-3.patch.gz 15. http://www.e-glop.net/dev/spip/SPIP-v1-4-3.inc-forum.php3.gz 16. http://www.e-glop.net/dev/spip/SPIP-v1-5-3.patch.gz` 17. http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz 18. http://www.e-glop.net/dev/spip/SPIP-v1-6-1.patch.gz 19. http://www.e-glop.net/dev/spip/SPIP-v1-6-1.inc-forum.php3.gz 20. http://www.e-glop.net/dev/spip/spip-cert.txt 21. http://www.e-glop.net/dev/spip/upgrading 22. http://www.gnu.org/software/patch/patch.html 23. http://www.gnu.org/software/gzip/gzip.html 24. http://www.e-glop.net/dev/spip/SPIP-v1-5-3.inc-forum.php3.gz 25. http://www.e-glop.net/dev/spip/spip-cert.txt 26. mailto:bs-public_NOSPAM_e-glop.net 27. mailto:spip-dev_NOSPAM_rezo.net 28. http://www.e-glop.net/ 29. mailto:baptiste.simon_NOSPAM_e-glop.net 30. http://www.e-glop.net/cv/ 31. http://docutils.sourceforge.net/ 32. http://membres.lycos.fr/ebellot/dn2dbk/ 33. file:///tmp/html-H5X8Tb#FTN.id4 34. http://openjade.sourceforge.net/ 35. http://www.e-glop.net/dev/spip/upgrading.xhtml 36. http://www.e-glop.net/dev/spip/upgrading.html 37. http://www.e-glop.net/dev/spip/upgrading.pdf 38. http://www.e-glop.net/dev/spip/upgrading.ps 39. http://www.e-glop.net/dev/spip/upgrading.txt 40. http://www.e-glop.net/dev/spip/upgrading.rtf 41. http://www.e-glop.net/dev/spip/upgrading.rst 42. http://www.e-glop.net/dev/spip/upgrading.db-xml 43. http://www.e-glop.net/dev/spip/upgrading.dn-xml 44. http://www.e-glop.net/dev/spip/upgrading.fo 45. http://www.e-glop.net/ 46. http://www.opencontent.org/openpub/ 47. http://www.opencontent.org/openpub/ 48. file:///tmp/html-H5X8Tb#id4 49. http://www.oasis-open.org/docbook