Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [Suggested description]
- RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via "_oups" GET parameter
- ------------------------------------------
- [VulnerabilityType]
- Code injection
- ------------------------------------------
- [Vendor of Product]
- SPIP - Systeme de Publication pour Internet
- ------------------------------------------
- [Affected Product Code Base]
- SPIP - 3.1.13 - 3.1.14 - 3.2.8 - 3.2.9 - 3.1.15 - 3.2.10 - 3.2.11 - 4.0.0 - 4.0.1 - 3.2.12 - 4.0.2 - 4.0.3 - 4.0.4 - 3.2.13 - 3.2.14 - 4.0.5 - 4.1.0 - 4.1.1 - 4.0.6 - 4.1.2 - 4.0.7 - 3.2.15
- ------------------------------------------
- [Affected Component]
- https://github.com/spip/SPIP/blob/0394b44774555ae8331b6e65e35065dfa0bb41e4/prive/formulaires/editer_liens.php#L131
- ------------------------------------------
- [Attack Type]
- Remote
- ------------------------------------------
- [Impact Code execution]
- true
- ------------------------------------------
- [Attack Vectors]
- To exploit vulnerability, an authenticated user with backend access must send a malicious payload (PHP code) in a GET parameter. The server will interpret it and render results to user.
- ------------------------------------------
- [Reference]
- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-1-5-SPIP-4-0-8-et-SPIP-3-2-16.html
- https://github.com/Abyss-W4tcher/ab4yss-wr4iteups/blob/ffa980faa9e3598d49d6fb7def4f7a67cfb5f427/SPIP%20-%20Pentest/SPIP%204.1.2/SPIP_4.1.2_AUTH_RCE/SPIP_4.1.2_AUTH_RCE_Abyss_Watcher_12_07_22.md
- https://spawnzii.github.io/posts/2022/07/how-we-have-pwned-root-me-in-2022/
- ------------------------------------------
- [Has vendor confirmed or acknowledged the vulnerability?]
- true
- ------------------------------------------
- [Discoverer]
- Abyss Watcher ; SpawnZii
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
