Impact
An authenticated attacker can execute arbitrary PHP code on the underlying web server [S1]. This allows for complete system compromise, including data exfiltration, modification of site content, and lateral movement within the hosting environment [S1].
Root Cause
The vulnerability exists in the SPIP template composer and compiler components [S1]. The system fails to properly validate or sanitize input within specific template tags when processing uploaded files [S1]. Specifically, the compiler incorrectly handles crafted INCLUDE or INCLURE tags inside HTML files [S1]. When an attacker accesses these uploaded files through the valider_xml action, the malicious tags are processed, leading to PHP code execution [S1].
Affected Versions
- SPIP versions 3.1.2 and all prior versions [S1].
Remediation
Update SPIP to a version newer than 3.1.2 to address this vulnerability [S1]. Ensure that file upload permissions are strictly restricted to trusted administrative users and that uploaded files are not stored in directories where the web server can execute them as scripts [S1].
How FixVibe tests for it
FixVibe could detect this vulnerability through two primary methods:
- Passive Fingerprinting: By analyzing HTTP response headers or specific meta tags in the HTML source, FixVibe can identify the running version of SPIP [S1]. If the version is 3.1.2 or lower, it would trigger a high-severity alert [S1].
- Repository Scanning: For users who connect their GitHub repositories, FixVibe's repo scanner can inspect dependency files or version-defining constants in the SPIP source code to identify vulnerable installations [S1].