Covered by FixVibehigh

ZXCVFIKIVIBESEG0. Fakahoko 'o e Kouti mama'o 'i he SPIP 'o fakafou 'i he ngaahi faka'ilonga 'o e sipinga (CVE-2016-7998) ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. SPIP 3.1.2 mo e kimu'a 'oku faingata'a'ia 'i he Fakahoko 'o e Remote Code 'o fakafou 'i he ngaahi faka'ilonga 'o e sipinga kovi 'i he ngaahi faile HTML kuo 'osi 'oatu. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG2. SPIP ngaahi liliu 3.1.2 mo e kimu'a 'oku 'i ai ha vaivai'anga 'i he fa'u 'o e sipinga. 'E lava ke 'ohofi 'e he kau 'ohofi fakamo'oni'i 'a e ngaahi faile HTML mo e crafted INCLUDE pe INCLURE tags ke fakahoko 'a e code PHP 'i he server. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Uesia ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. 'E lava ke fakahoko 'e ha tokotaha 'ohofi fakamo'oni'i 'a e code PHP 'i he seva 'o e uepi 'i lalo CVE-2016-7998. 'Oku faka'ata 'e he me'a ni 'a e fakalelei'i 'o e sisitemi kakato, kau ai 'a e exfiltration 'o e fakamatala, fakalelei'i 'o e kakano 'o e saiti, mo e nga'unu lateral 'i loto 'i he 'atakai 'o e talitali ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Tupu'anga Tefito ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. 'Oku 'i ai 'a e vaivai 'i he SPIP sipinga 'o e fa'u hiva mo e ngaahi konga 'o e compiler ZXCVFIXVIBETOKEN3ZXCV. 'Oku 'ikai lava 'e he sisitemi ke fakamo'oni'i totonu pe sanitize 'a e input 'i loto 'i he ngaahi faka'ilonga sipinga pau 'i he taimi 'oku ngaue'aki ai 'a e ngaahi faile kuo 'osi 'oatu ZXCVFIXVIBETOKEN4ZXCV. 'Oku fakatefito, 'oku to'oto'o hala 'e he compiler 'a e ngaahi faka'ilonga 'oku ngaohi 'i loto 'i he ngaahi faile HTML ZXCVFIXVIBETOKEN5ZXCV. 'I he taimi 'oku ma'u ai 'e ha tokotaha 'ohofi 'a e ngaahi faile ko 'eni kuo 'osi 'o fakafou 'i he ngaue 'a e ZXCVFIXVIBETOKEN2ZXCV, 'Oku ngaue'aki 'a e ngaahi faka'ilonga kovi, 'o taki atu ki he fakahoko 'o e PHP code ZXCVFIXVIBETOKEN6ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. ## Ngaahi Fakakaukau kuo Uesia ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. * SPIP ngaahi liliu 3.1.2 mo e ngaahi liliu kotoa pe kimu'a CVE-2016-7998. ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. ## Fakalelei'i ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 Fakafo'ou 'a e SPIP ki ha founga fo'ou ange 'i he 3.1.2 ke fakalelei'i 'a e vaivai ko 'eni CVE-2016-7998. Fakapapau'i 'oku fakangatangata 'aupito 'a e ngaahi ngofua 'o e upload 'o e faile ki he kau faka'aonga'i fakapule'anga falala'anga pea 'oku 'ikai ke tauhi 'a e ngaahi faile kuo upload 'i he ngaahi tohi fakahinohino 'e lava ke fakahoko ai kinautolu 'e he seva 'o e uepi ko e ngaahi tohi ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 ## Founga 'oku sivi'i ai 'e he CVE-2016-7998 ki ai ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG12 Na'e lava ke 'ilo'i 'e he CVE-2016-7998 'a e vaivai ko 'eni 'o fakafou 'i he ongo founga tefito 'e ua: ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG13 1. Passive Fingerprinting: 'I hono 'analaiso 'o e ngaahi 'ulu'i tohi tali HTTP pe ngaahi faka'ilonga meta pau 'i he ma'u'anga fakamatala HTML, 'e lava ke 'ilo'i 'e he ZXCVFIXVIBETOKEN2ZXCV 'a e founga lele 'o e SPIP CVE-2016-7998. Kapau ko e version ko e 3.1.2 pe ma'ulalo ange, te ne fakatupu ha fakatokanga ma'olunga-mamafa ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIPESEG14 2. Sikani 'o e fale tuku'anga koloa: Ki he kau faka'aonga'i 'oku nau fakafehokotaki 'enau ngaahi fale tuku'anga koloa ZXCVFIXVIBETOKEN2ZXCV, 'e lava ke sivi'i 'e he repo scanner 'a e ZXCVFIXVIBETOKEN1ZXCV 'a e ngaahi faile fakafalala pe version-faka'uhinga'i 'a e ngaahi tu'uma'u 'i he SPIP ma'u'anga fakamatala ke 'ilo'i 'a e ngaahi fokotu'u faingata'a'ia ZXCVZXKCV0.

SPIP versions 3.1.2 and earlier contain a vulnerability in the template composer. Authenticated attackers can upload HTML files with crafted INCLUDE or INCLURE tags to execute arbitrary PHP code on the server.

CVE-2016-7998CWE-20

Impact

An authenticated attacker can execute arbitrary PHP code on the underlying web server [S1]. This allows for complete system compromise, including data exfiltration, modification of site content, and lateral movement within the hosting environment [S1].

Root Cause

The vulnerability exists in the SPIP template composer and compiler components [S1]. The system fails to properly validate or sanitize input within specific template tags when processing uploaded files [S1]. Specifically, the compiler incorrectly handles crafted INCLUDE or INCLURE tags inside HTML files [S1]. When an attacker accesses these uploaded files through the valider_xml action, the malicious tags are processed, leading to PHP code execution [S1].

Affected Versions

SPIP versions 3.1.2 and all prior versions [S1].

Remediation

Update SPIP to a version newer than 3.1.2 to address this vulnerability [S1]. Ensure that file upload permissions are strictly restricted to trusted administrative users and that uploaded files are not stored in directories where the web server can execute them as scripts [S1].

How FixVibe tests for it

FixVibe could detect this vulnerability through two primary methods:

Passive Fingerprinting: By analyzing HTTP response headers or specific meta tags in the HTML source, FixVibe can identify the running version of SPIP [S1]. If the version is 3.1.2 or lower, it would trigger a high-severity alert [S1].
Repository Scanning: For users who connect their GitHub repositories, FixVibe's repo scanner can inspect dependency files or version-defining constants in the SPIP source code to identify vulnerable installations [S1].