Vulnerabilities > CVE-2016-7999 - Server-Side Request Forgery (SSRF) vulnerability in Spip
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family | Debian Local Security Checks |
NASL id | DEBIAN_DLA-695.NASL |
description | Multiple vulnerabilities have been discovered in SPIP, a website engine for publishing written in PHP. CVE-2016-7980 Nicolas Chatelain of Sysdream Labs discovered a cross-site request forgery (CSRF) vulnerability in the valider_xml action of SPIP. This allows remote attackers to make use of potential additional vulnerabilities such as the one described in CVE-2016-7998. CVE-2016-7981 Nicolas Chatelain of Sysdream Labs discovered a reflected cross-site scripting attack (XSS) vulnerability in the validater_xml action of SPIP. An attacker could take advantage of this vulnerability to inject arbitrary code by tricking an administrator to open a malicious link. CVE-2016-7982 Nicolas Chatelain of Sysdream Labs discovered a file enumeration / path traversal attack in the the validator_xml action of SPIP. An attacker could use this to enumerate files in an arbitrary directory on the file system. CVE-2016-7998 Nicolas Chatelain of Sysdream Labs discovered a possible PHP code execution vulnerability in the template compiler/composer function of SPIP. In combination with the XSS and CSRF vulnerabilities described in this advisory, a remote attacker could take advantage of this to execute arbitrary PHP code on the server. CVE-2016-7999 Nicolas Chatelain of Sysdream Labs discovered a server side request forgery in the valider_xml action of SPIP. Attackers could take advantage of this vulnerability to send HTTP or FTP requests to remote servers that they don |
last seen | 2020-03-17 |
modified | 2016-11-03 |
plugin id | 94476 |
published | 2016-11-03 |
reporter | This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/94476 |
title | Debian DLA-695-1 : spip security update |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/139240/spip312-ssrf.txt |
id | PACKETSTORM:139240 |
last seen | 2016-12-05 |
published | 2016-10-20 |
reporter | Nicolas Chatelain |
source | https://packetstormsecurity.com/files/139240/SPIP-3.1.2-Server-Side-Request-Forgery.html |
title | SPIP 3.1.2 Server Side Request Forgery |
References
- http://www.openwall.com/lists/oss-security/2016/10/05/17
- http://www.openwall.com/lists/oss-security/2016/10/05/17
- http://www.openwall.com/lists/oss-security/2016/10/07/5
- http://www.openwall.com/lists/oss-security/2016/10/07/5
- http://www.openwall.com/lists/oss-security/2016/10/08/6
- http://www.openwall.com/lists/oss-security/2016/10/08/6
- http://www.openwall.com/lists/oss-security/2016/10/12/10
- http://www.openwall.com/lists/oss-security/2016/10/12/10
- http://www.securityfocus.com/bid/93451
- http://www.securityfocus.com/bid/93451
- https://core.spip.net/projects/spip/repository/revisions/23188
- https://core.spip.net/projects/spip/repository/revisions/23188
- https://core.spip.net/projects/spip/repository/revisions/23193
- https://core.spip.net/projects/spip/repository/revisions/23193
- https://sysdream.com/news/lab/2016-10-19-spip-3-1-2-server-side-request-forgery-cve-2016-7999/
- https://sysdream.com/news/lab/2016-10-19-spip-3-1-2-server-side-request-forgery-cve-2016-7999/