cbcvebase.
CVE-2009-3041
published 2009-09-01

CVE-2009-3041: SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote…

PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.59%
93.0th percentile
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.

Affected

21 ranges
VendorProductVersion rangeFixed in
debianspip< spip 2.0.9-1 (bullseye)spip 2.0.9-1 (bullseye)
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip
spipspip>= 0 < 2.0.9-12.0.9-1
spipspip>= 0 < 2.0.9-12.0.9-1
spipspip>= 0 < 2.0.9-12.0.9-1

Detection & IOCsextracted from sources · hover to see the quote

urlecrire/?exec=install&reinstall=non&transformer_xml=export_all&nom_sauvegarde=../../../IMG/
pathecrire/exec/install.php
pathecrire/index.php
urlspip.php
urlIMG/
commandaction=export_all&export[]=spip_auteurs
  • Detect unauthenticated GET requests to the SPIP install endpoint with the reinstall and transformer_xml parameters, which indicate exploitation of the missing access control.
  • Flag path traversal sequences (../../../IMG/) in the nom_sauvegarde parameter of requests to ecrire/?exec=install, indicating an attempt to write backup/export files outside the intended directory.
  • Monitor POST requests to spip.php containing action=export_all and export[]=spip_auteurs, which are used to exfiltrate the authors/credentials table via the backup mechanism.
  • Alert on unauthenticated access to ecrire/exec/install.php or ecrire/index.php from external IPs, as these endpoints should require authentication.
  • Detect retrieval of .xml files from the IMG/ directory immediately following install endpoint requests, indicating successful data exfiltration via the backup export chain.
  • ·The vulnerability affects SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 only; versions 2.0.9 and later are patched. Ensure detection rules are scoped to vulnerable version ranges to reduce false positives.
  • ·The exploit was confirmed exploited in the wild as of August 2009; treat any detections on legacy SPIP installations as high-confidence active exploitation.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.