SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence. The `var_url` parameter of the `valider_xml` file is not correctly sanitized and can be used to trigger a reflected XSS vulnerability.SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)
Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
Vulnerability Description
The var_url
parameter of the valider_xml
file is not correctly sanitized and can be used to trigger a reflected XSS vulnerability.
Access Vector: remote
Security Risk: medium
Vulnerability: CWE-79
CVSS Base Score: 6.8 (Medium)
CVE-ID: CVE-2016-7981
Proof of Concept
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=%22%3E%3Ch1%3EXSS!%3C/h1%3E
Vulnerable code
The $url variable
is not properly sanitized in valider_xml.php
, line 134 :
$res =
"<div style='text-align: center'>" . $err . "</div>" .
"<div style='margin: 10px; text-align: left'>" . $texte . '</div>';
$bandeau = "<a href='$url_aff'>$url</a>";
The Cross-Site Scripting vulnerability is triggered on line 146 :
echo "<h1>", $titre, '<br>', $bandeau, '</h1>',
Timeline (dd/mm/yyyy)
- 15/09/2016 : Initial discovery
- 26/09/2016 : Contact with SPIP Team
- 27/09/2016 : Answer from SPIP Team, sent advisory details
- 27/09/2016 : Incorrect fix from SPIP Team.
- 27/09/2016 : New proof of concept for bypassing fixes for XSS sent.
- 27/09/2016 : Fixes issued for XSS (23185).
- 30/09/2016 : SPIP 3.1.3 Released
Fixes
- https://core.spip.net/projects/spip/repository/revisions/23200
- https://core.spip.net/projects/spip/repository/revisions/23201
- https://core.spip.net/projects/spip/repository/revisions/23202
Affected versions
- Version <= 3.1.2
Credits
- Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)