Covered by FixVibehigh

透過模板標籤在 SPIP 中遠端執行程式碼 (CVE-2016-7998) ZXCVFIXVIBESEND ZXCVFIXVIBESEG1 SPIP 3.1.2 及更早版本容易透過上傳的 HTML 檔案中的惡意範本標籤受到遠端執行程式碼的攻擊。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG2 SPIP 版本 3.1.2 及更早版本在範本編輯器中包含漏洞。經過驗證的攻擊者可以上傳帶有精心設計的 INCLUDE 或 INCLURE 標記的 HTML 文件，以在伺服器上執行任意 PHP 程式碼。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG3 ## 影響 ZXCVFIXVIBESEND ZXCVFIXVIBESEG4 經過驗證的攻擊者可以在底層 Web 伺服器 CVE-2016-7998 上執行任意 PHP 程式碼。這允許完整的系統妥協，包括資料外洩、網站內容修改以及託管環境 ZXCVFIXVIBETOKEN1ZXCV 內的橫向移動。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG5 ## 根本原因 ZXCVFIXVIBESEND ZXCVFIXVIBESEG6 此漏洞存在於 SPIP 模板編輯器和編譯器組件 ZXCVFIXVIBETOKEN3ZXCV 中。處理上傳的檔案 ZXCVFIXVIBETOKEN4ZXCV 時，系統無法正確驗證或清除特定範本標籤內的輸入。具體來說，編譯器錯誤地處理 HTML 檔案 ZXCVFIXVIBETOKEN5ZXCV 中精心製作的 CVE-2016-7998 或 ZXCVFIXVIBETOKEN1ZXCV 標籤。當攻擊者透過ZXCVFIXVIBETOKEN2ZXCV操作存取這些上傳的檔案時，惡意標籤將會被處理，導致PHP程式碼執行ZXCVFIXVIBETOKEN6ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG7 ## 受影響的版本 ZXCVFIXVIBESEND ZXCVFIXVIBESEG8 * SPIP 版本 3.1.2 和所有先前版本 CVE-2016-7998。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG9 ## 修復 ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 將 SPIP 更新至 3.1.2 以上版本以解決此漏洞 CVE-2016-7998。確保檔案上傳權限嚴格限制於受信任的管理用戶，並且上傳的檔案不會儲存在 Web 伺服器可以將其作為腳本 ZXCVFIXVIBETOKEN1ZXCV 執行的目錄中。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 ## CVE-2016-7998 如何測試它 ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 CVE-2016-7998主要透過兩種方法偵測此漏洞： ZXCVFIXVIBESEND ZXCVFIXVIBESEG13 1. 被動指紋辨識：透過分析HTTP響應頭或HTML來源中的特定元標記，ZXCVFIXVIBETOKEN2ZXCV可以識別SPIP CVE-2016-7998的運行版本。如果版本為3.1.2或更低，則會觸發高嚴重性警報ZXCVFIXVIBETOKEN1ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG14 2. 儲存庫掃描：對於連接 ZXCVFIXVIBETOKEN2ZXCV 儲存庫的用戶，ZXCVFIXVIBETOKEN1ZXCV 的儲存庫掃描器可以檢查 SPIP 原始程式碼中的依賴檔案或版本定義常數，以識別易受攻擊的安裝 CVE-2016-7998。

SPIP versions 3.1.2 and earlier contain a vulnerability in the template composer. Authenticated attackers can upload HTML files with crafted INCLUDE or INCLURE tags to execute arbitrary PHP code on the server.

CVE-2016-7998CWE-20

Impact

An authenticated attacker can execute arbitrary PHP code on the underlying web server [S1]. This allows for complete system compromise, including data exfiltration, modification of site content, and lateral movement within the hosting environment [S1].

Root Cause

The vulnerability exists in the SPIP template composer and compiler components [S1]. The system fails to properly validate or sanitize input within specific template tags when processing uploaded files [S1]. Specifically, the compiler incorrectly handles crafted INCLUDE or INCLURE tags inside HTML files [S1]. When an attacker accesses these uploaded files through the valider_xml action, the malicious tags are processed, leading to PHP code execution [S1].

Affected Versions

SPIP versions 3.1.2 and all prior versions [S1].

Remediation

Update SPIP to a version newer than 3.1.2 to address this vulnerability [S1]. Ensure that file upload permissions are strictly restricted to trusted administrative users and that uploaded files are not stored in directories where the web server can execute them as scripts [S1].

How FixVibe tests for it

FixVibe could detect this vulnerability through two primary methods:

Passive Fingerprinting: By analyzing HTTP response headers or specific meta tags in the HTML source, FixVibe can identify the running version of SPIP [S1]. If the version is 3.1.2 or lower, it would trigger a high-severity alert [S1].
Repository Scanning: For users who connect their GitHub repositories, FixVibe's repo scanner can inspect dependency files or version-defining constants in the SPIP source code to identify vulnerable installations [S1].