0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

SPIP 3.1.2 Cross Site Scripting Vulnerability

Author

Nicolas Chatelain

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

CVE

Platform

## SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)

### Product Description

SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.

### Vulnerability Description

The `var_url` parameter of the `valider_xml` file is not correctly sanitized and can be used to trigger a reflected XSS vulnerability.

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-79

**CVSS Base Score**: 6.8 (Medium)

**CVE-ID**: CVE-2016-7981

### Proof of Concept

    http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=%22%3E%3Ch1%3EXSS!%3C/h1%3E

### Vulnerable code

The `$url variable` is not properly sanitized in `valider_xml.php`, line 134 :

    $res =
      "<div style='text-align: center'>" . $err . "</div>" .
      "<div style='margin: 10px; text-align: left'>" . $texte . '</div>';
    $bandeau = "<a href='$url_aff'>$url</a>";

The Cross-Site Scripting vulnerability is triggered on line 146 :

    echo "<h1>", $titre, '<br>', $bandeau, '</h1>',


### Timeline (dd/mm/yyyy)

* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 27/09/2016 : Incorrect fix from SPIP Team.
* 27/09/2016 : New proof of concept for bypassing fixes for XSS sent.
* 27/09/2016 : Fixes issued for XSS (23185).
* 30/09/2016 : SPIP 3.1.3 Released

### Fixes

* https://core.spip.net/projects/spip/repository/revisions/23200
* https://core.spip.net/projects/spip/repository/revisions/23201
* https://core.spip.net/projects/spip/repository/revisions/23202


### Affected versions

* Version <= 3.1.2

### Credits

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)

#  0day.today [2024-07-05]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

SPIP 3.1.2 Cross Site Scripting Vulnerability

Report Error

Report Error