SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Spip | Spip | 1.9 (including) | 1.9 (including) |
| Spip | Spip | 1.9-alpha2 (including) | 1.9-alpha2 (including) |
| Spip | Spip | 1.9.1 (including) | 1.9.1 (including) |
| Spip | Spip | 1.9.2c (including) | 1.9.2c (including) |
| Spip | Spip | 1.9.2d (including) | 1.9.2d (including) |
| Spip | Spip | 1.9.2g (including) | 1.9.2g (including) |
| Spip | Spip | 1.9.2h (including) | 1.9.2h (including) |
| Spip | Spip | 1.9.alpha1 (including) | 1.9.alpha1 (including) |
| Spip | Spip | 2.0-rc1 (including) | 2.0-rc1 (including) |
| Spip | Spip | 2.0.0 (including) | 2.0.0 (including) |
| Spip | Spip | 2.0.1 (including) | 2.0.1 (including) |
| Spip | Spip | 2.0.2 (including) | 2.0.2 (including) |
| Spip | Spip | 2.0.3 (including) | 2.0.3 (including) |
| Spip | Spip | 2.0.4 (including) | 2.0.4 (including) |
| Spip | Spip | 2.0.5 (including) | 2.0.5 (including) |
| Spip | Spip | 2.0.6 (including) | 2.0.6 (including) |
| Spip | Spip | 2.0.7 (including) | 2.0.7 (including) |
| Spip | Spip | 2.0.8 (including) | 2.0.8 (including) |
| Spip | Ubuntu | dapper | * |
| Spip | Ubuntu | karmic | * |
References
- http://fil.rezo.net/secu-14346-14350+14354.patch
- http://secunia.com/advisories/36365
- http://www.securityfocus.com/bid/36008
- http://www.spip-contrib.net/SPIP-Security-Alert-new-version
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52381
- http://fil.rezo.net/secu-14346-14350+14354.patch
- http://secunia.com/advisories/36365
- http://www.securityfocus.com/bid/36008
- http://www.spip-contrib.net/SPIP-Security-Alert-new-version
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52381