Covered by FixVibehigh

. Fjarkotuútførsla í SPIP umvegis fyrimyndarmerki (CVE-2016-7998) ZXCVFIXVIBESEND ZXCVFIXVIBESEG1. SPIP 3.1.2 og fyrri eru viðbrekin fyri Fjarkotuútførslu umvegis illgrunasamar fyrimyndarmerki í upplagdum HTML fílum. ZXCVFIXVIBESEND ZXCVFIXVIBESEG2. SPIP útgávur 3.1.2 og fyrr innihalda ein sárbarleika í fyrimyndartónaranum. Autentiseraðir álopsmenn kunnu leggja HTML fílur upp við sniðgivnum INCLUDE ella INCLURE merkjum fyri at útføra viljaleysa PHP kotu á ambætaranum. ZXCVFIXVIBESEND ZXCVFIXVIBESEG3. ## Ávirkan ZXCVFIXVIBESEND ZXCVFIXVIBESEG4. Ein autentiseraður álopsmaður kann útføra viljaleysa PHP-kotu á undirliggjandi vevtænaranum CVE-2016-7998. Hetta ger tað møguligt at gera fullkomna skipanarsemju, herundir dátuútfiltrering, broyting av síðuinnihaldinum og síðuflyting innan hýsingarumhvørvið ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG5. ## Rótorsøk ZXCVFIXVIBESEND ZXCVFIXVIBESEG6. Sárbarleikin er til í SPIP-sniðgevara- og samlara-partunum ZXCVFIXVIBETOKEN3ZXCV. Skipanin megnar ikki at góðkenna ella sanitera inntøku innan ávís fyrimyndarmerki á rættan hátt, tá ið hon viðger upplagdar fílur ZXCVFIXVIBETOKEN4ZXCV. Serliga handfarar compilatorurin skeivt sniðgivin CVE-2016-7998 ella ZXCVFIXVIBETOKEN1ZXCV merki inni í HTML-fílum ZXCVFIXVIBETOKEN5ZXCV. Tá ein álopsmaður fær atgongd til hesar upplagdu fílurnar gjøgnum ZXCVFIXVIBETOKEN2ZXCV handlingina, verða illgrunasamu merkini viðgjørd, og tað førir til PHP-kotu útførslu ZXCVFIXVIBETOKEN6ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG7. ## Ávirkaðar útgávur ZXCVFIXVIBESEND ZXCVFIXVIBESEG8. * SPIP útgávur 3.1.2 og allar undanfarnu útgávur CVE-2016-7998. ZXCVFIXVIBESEND ZXCVFIXVIBESEG9. ## Tilbúgving ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 Dagfør SPIP til eina nýggjari útgávu enn 3.1.2 fyri at viðgera hendan sárbarleikan CVE-2016-7998. Tryggja tær, at fíluuppleggingarloyvi eru strangt avmarkað til álítandi umsitingarligar brúkarar og at upplestraðar fílur ikki verða goymdar í mappum, har vevtænarin kann útføra tær sum scripts ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 ## Hvussu CVE-2016-7998 roynir fyri tí ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 CVE-2016-7998 kundi uppdagað hendan sárbarleikan gjøgnum tveir høvuðshættir: ZXCVFIXVIBESEND ZXCVFIXVIBESEG13 1. Passivt fingramerki: Við at greina HTTP svarhøvd ella ávís meta-merki í HTML-kelduni, kann ZXCVFIXVIBETOKEN2ZXCV eyðmerkja koyrandi útgávuna av SPIP CVE-2016-7998. Um útgávan er 3.1.2 ella lægri, so vil hon útloysa eina ávaring um høga álvarsemi ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG14 2. Goymsluskanning: Fyri brúkarar, sum binda síni ZXCVFIXVIBETOKEN2ZXCV goymslur saman, kann goymsluskannarin hjá ZXCVFIXVIBETOKEN1ZXCV kanna avhengifílur ella útgávudefinerandi konstantar í SPIP keldukotuni fyri at eyðmerkja sárbærar uppsetingar ZXCVVIXCVZKCV0.

SPIP versions 3.1.2 and earlier contain a vulnerability in the template composer. Authenticated attackers can upload HTML files with crafted INCLUDE or INCLURE tags to execute arbitrary PHP code on the server.

CVE-2016-7998CWE-20

Impact

An authenticated attacker can execute arbitrary PHP code on the underlying web server [S1]. This allows for complete system compromise, including data exfiltration, modification of site content, and lateral movement within the hosting environment [S1].

Root Cause

The vulnerability exists in the SPIP template composer and compiler components [S1]. The system fails to properly validate or sanitize input within specific template tags when processing uploaded files [S1]. Specifically, the compiler incorrectly handles crafted INCLUDE or INCLURE tags inside HTML files [S1]. When an attacker accesses these uploaded files through the valider_xml action, the malicious tags are processed, leading to PHP code execution [S1].

Affected Versions

SPIP versions 3.1.2 and all prior versions [S1].

Remediation

Update SPIP to a version newer than 3.1.2 to address this vulnerability [S1]. Ensure that file upload permissions are strictly restricted to trusted administrative users and that uploaded files are not stored in directories where the web server can execute them as scripts [S1].

How FixVibe tests for it

FixVibe could detect this vulnerability through two primary methods:

Passive Fingerprinting: By analyzing HTTP response headers or specific meta tags in the HTML source, FixVibe can identify the running version of SPIP [S1]. If the version is 3.1.2 or lower, it would trigger a high-severity alert [S1].
Repository Scanning: For users who connect their GitHub repositories, FixVibe's repo scanner can inspect dependency files or version-defining constants in the SPIP source code to identify vulnerable installations [S1].