CVE-2009-3041
published 2009-09-01CVE-2009-3041: SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote…
PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.59%
93.0th percentile
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | spip | < spip 2.0.9-1 (bullseye) | spip 2.0.9-1 (bullseye) |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | >= 0 < 2.0.9-1 | 2.0.9-1 |
| spip | spip | >= 0 < 2.0.9-1 | 2.0.9-1 |
| spip | spip | >= 0 < 2.0.9-1 | 2.0.9-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the SPIP install endpoint with the reinstall and transformer_xml parameters, which indicate exploitation of the missing access control. ↗
- →Flag path traversal sequences (../../../IMG/) in the nom_sauvegarde parameter of requests to ecrire/?exec=install, indicating an attempt to write backup/export files outside the intended directory. ↗
- →Monitor POST requests to spip.php containing action=export_all and export[]=spip_auteurs, which are used to exfiltrate the authors/credentials table via the backup mechanism. ↗
- →Alert on unauthenticated access to ecrire/exec/install.php or ecrire/index.php from external IPs, as these endpoints should require authentication. ↗
- →Detect retrieval of .xml files from the IMG/ directory immediately following install endpoint requests, indicating successful data exfiltration via the backup export chain. ↗
- ·The vulnerability affects SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 only; versions 2.0.9 and later are patched. Ensure detection rules are scoped to vulnerable version ranges to reduce false positives. ↗
- ·The exploit was confirmed exploited in the wild as of August 2009; treat any detections on legacy SPIP installations as high-confidence active exploitation. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jjfc-23rr-g872: SPIP 1
ghsa_unreviewed·2022-05-02
CVE-2009-3041 [HIGH] GHSA-jjfc-23rr-g872: SPIP 1
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
OSV
CVE-2009-3041: SPIP 1
osv·2009-09-01·CVSS 7.5
CVE-2009-3041 [HIGH] CVE-2009-3041: SPIP 1
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
VulnCheck
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 Installation and Backup Unauthorized Activity Vulnerability
vulncheck·2009·CVSS 7.5
CVE-2009-3041 [HIGH] SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 Installation and Backup Unauthorized Activity Vulnerability
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 Installation and Backup Unauthorized Activity Vulnerability
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
Affected: spip spip
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://contrib.spip.net/SPIP-Security-Alert-new-version; https://www.cve.org/CVERecord?id=CVE-2009-3041
Debian
CVE-2009-3041: spip - SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access contro...
vendor_debian·2009·CVSS 7.5
CVE-2009-3041 [HIGH] CVE-2009-3041: spip - SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access contro...
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
Scope: local
bullseye: resolved (fixed in 2.0.9-1)
forky: resolved (fixed in 2.0.9-1)
sid: resolved (fixed in 2.0.9-1)
trixie: resolved (fixed in 2.0.9-1)
No detection rules found.
No writeups or analysis indexed.
http://fil.rezo.net/secu-14346-14350+14354.patchhttp://secunia.com/advisories/36365http://www.securityfocus.com/bid/36008http://www.spip-contrib.net/SPIP-Security-Alert-new-versionhttps://exchange.xforce.ibmcloud.com/vulnerabilities/52381http://fil.rezo.net/secu-14346-14350+14354.patchhttp://secunia.com/advisories/36365http://www.securityfocus.com/bid/36008http://www.spip-contrib.net/SPIP-Security-Alert-new-versionhttps://exchange.xforce.ibmcloud.com/vulnerabilities/52381
2009-09-01
Published
Exploited in the wild