Advertisement
Abyss_-_Watcher

Untitled

Dec 13th, 2022 (edited)
2,787
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.88 KB | None | 0 0
  1. [Suggested description]
  2. RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via "_oups" GET parameter
  3.  
  4. ------------------------------------------
  5.  
  6. [VulnerabilityType]
  7. Code injection
  8.  
  9. ------------------------------------------
  10.  
  11. [Vendor of Product]
  12. SPIP - Systeme de Publication pour Internet
  13.  
  14. ------------------------------------------
  15.  
  16. [Affected Product Code Base]
  17. SPIP - 3.1.13 - 3.1.14 - 3.2.8 - 3.2.9 - 3.1.15 - 3.2.10 - 3.2.11 - 4.0.0 - 4.0.1 - 3.2.12 - 4.0.2 - 4.0.3 - 4.0.4 - 3.2.13 - 3.2.14 - 4.0.5 - 4.1.0 - 4.1.1 - 4.0.6 - 4.1.2 - 4.0.7 - 3.2.15
  18.  
  19. ------------------------------------------
  20.  
  21. [Affected Component]
  22. https://github.com/spip/SPIP/blob/0394b44774555ae8331b6e65e35065dfa0bb41e4/prive/formulaires/editer_liens.php#L131
  23.  
  24. ------------------------------------------
  25.  
  26. [Attack Type]
  27. Remote
  28.  
  29. ------------------------------------------
  30.  
  31. [Impact Code execution]
  32. true
  33.  
  34. ------------------------------------------
  35.  
  36. [Attack Vectors]
  37. To exploit vulnerability, an authenticated user with backend access must send a malicious payload (PHP code) in a GET parameter. The server will interpret it and render results to user.
  38.  
  39. ------------------------------------------
  40.  
  41. [Reference]
  42. https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-1-5-SPIP-4-0-8-et-SPIP-3-2-16.html
  43. https://github.com/Abyss-W4tcher/ab4yss-wr4iteups/blob/ffa980faa9e3598d49d6fb7def4f7a67cfb5f427/SPIP%20-%20Pentest/SPIP%204.1.2/SPIP_4.1.2_AUTH_RCE/SPIP_4.1.2_AUTH_RCE_Abyss_Watcher_12_07_22.md
  44. https://spawnzii.github.io/posts/2022/07/how-we-have-pwned-root-me-in-2022/
  45.  
  46. ------------------------------------------
  47.  
  48. [Has vendor confirmed or acknowledged the vulnerability?]
  49. true
  50.  
  51. ------------------------------------------
  52.  
  53. [Discoverer]
  54. Abyss Watcher ; SpawnZii
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement