|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 395 CVE : CVE-2006-0517 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Given : Yes Credit : Zone-H Research Team Published : 02.02.2006
Advisory Text : Zone-H Research Center Security Advisory 200601 http://www.zone-h.fr Date of release: 31/01/2006 Software: SPIP (http://www.spip.net) Affected versions: < 1.8.2-e , < 1.9 Alpha 2 (5539) Risk: Medium Discovered by: Kevin Fernandez "Siegfried" and Benoît Sklénard "netcraft" from the Zone-H Research Team Background ---------- SPIP is a publishing system for the Internet. Come again? It consists of a bundle of files, installed in your web account and allowing you to take advantage of a number of automated tasks: multi-user management, laying out your articles without the need to use HTML, easily modifying the structure of your site. From the very same application used to browse a site (Netscape, Microsoft Internet Explorer, Mozilla, Opera...), SPIP enables you to build and update a site, thanks to a very simple user interface. Details -------- Some sql injections and cross-site scripting vulnerabilities have been discovered. -When we contacted the vendor, he already had fixed some of them: multiple sql injections exploitable in the administrative area. The ones which weren't fixed when we contacted him were the sql injections in the forum (public area). in formulaires/inc-formulaire_forum.php3 : // recuperer les donnees du forum auquel on repond, false = forum interdit list ($idr, $idf, $ida, $idb, $ids) = $args; if (!$r = sql_recherche_donnees_forum ($idr, $idf, $ida, $idb, $ids)) return ''; It is exploitable via forum.php3 , example: /forum.php3?id_article=1&id_forum=-1/**/UNION/**/SELECT%20pass%20from%20 spip_auteurs/* or with any other variable (id_article, id_breve..) like: /forum.php3?id_article=-1/**/UNION/**/SELECT%20pass%20from%20spip_auteur s/* It is exploitable like this with magic_quotes_gpc on or off. A full path disclosure problem was present in inc-messforum.php3 when accessing it directly, let's say the spip path is /var/www/spip , it could then be used to exploit the sql injection (if magic_quotes_gpc is off) to inject php code in a writable directory(The "IMG" folder, like 3 others, are writable by default). So if magic_quotes_gpc = Off , Display_errors = On and SPIP is version 1.8.2 or prior, it can be exploited to compromise a vulnerable system. The vendor also discovered 2 potential sql injections in the session handling and when posting "petitions" (maybe others). -We also notified the vendor of a xss problem, it isn't fixed. index.php3?lang=">xss Solution --------- The sql injection vulnerabilities have been fixed in the latest svn snapshot (5546): svn://trac.rezo.net/spip/spip or here: http://trac.rezo.net/files/spip/spip.zip Original advisories: English: http://www.zone-h.org/en/advisories/read/id=8650/ French: http://www.zone-h.fr/fr/advisories/read/id=874/  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |