by r0t,der4444,cembo,VietMafia

Wednesday, December 21, 2005

SPIP XSS vuln.

SPIP XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.spip.net/en
affected version:1.8.2 and prior

Product Description:

SPIP is a publishing system developed by the minir├ęzo to manage the site uZine. We provide it to anyone as a free software under GPL license. Therefore, you can use it freely for your own site, be it personnal, co-operative, institutional or commercial.

Vuln. Description:

SPIP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to paremters in "spip_login.php3" "spip_pass.php3" fields isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution:
Edit the source code to ensure that input is properly sanitised.

7 Comments:

Anonymous Anonymous told...

Can you be more specific please -- publicly or in a message to fil@rezo.net and esj@rezo.net (security maintainers)?

12:59 PM

 
Anonymous Anonymous told...

Hi,

May you explain how to correct this vulnerability, because I do not know how to correct it.

Thanks a lot,

Paul

5:52 PM

 
Anonymous neo told...

I had a look too and couldn't find any exploit or proof of concept concerning your "SPIP XSS vuln."

Do you yourself have a proof of concept ? or at least a basic description of how this XSS could be exploited ?

6:06 PM

 
Anonymous r0t told...

Paul, i think vednor will relaese fix for that.

neo, POC ... into those files input manually in given fields and you will get POC.

5:22 PM

 
Anonymous Anonymous told...

I think this advisory is not true

10:06 PM

 
Anonymous Anonymous told...

If I understand this report correctly, the issue is that it is possible to inject javascript code into the application using the input fields which are visible when browsing to the files given, i.e. to
[spip_site]/spip_login.php3
and
[spip_site]/spip_pass.php3

As such, these URLs should be usable for the PoC:

[spip_site]/spip_login.php3?var_login=<script>alert('XSS');</script>
[spip_site]/spip_pass.php3?oubli=<script>alert('XSS');</script>

I was not able to reproduce this on SPIP 1.8.2-e, however, some earlier (cannot say which) seem to be affected. It seems like this was silently fixed by the developers.

Moritz Naumann
http://moritz-naumann.com

6:21 PM

 
Anonymous Anonymous told...

http://trac.rezo.net/trac/spip/ticket/67

4:50 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew