cbcvebase.
CVE-2016-7998
published 2017-01-18

CVE-2016-7998: The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a…

PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
13.65%
96.0th percentile
The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianspip< spip 3.1.3-1 (bullseye)spip 3.1.3-1 (bullseye)
spipspip<= 3.1.2
spipspip>= 0 < 3.1.3-13.1.3-1
spipspip>= 0 < 3.1.3-13.1.3-1
spipspip>= 0 < 3.1.3-13.1.3-1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///tmp/directory&ext=html
urlhttp://spip-dev.srv/ecrire/?exec=valider_xml&var_url=/tmp/directory&ext=html
pathecrire/exec/valider_xml.php
pathecrire/public/compiler.php
pathecrire/public/composer.php
  • Monitor HTTP requests to the `ecrire/` endpoint with `exec=valider_xml` combined with a `var_url` parameter pointing to a local or file:// path and `ext=html`; this is the trigger pattern for CVE-2016-7998 exploitation.
  • Detect uploaded HTML files containing crafted SPIP INCLUDE or INCLURE tags, which are used to inject PHP code into the template compiler pipeline.
  • Alert on `include_once` of attacker-controlled PHP files generated by the SPIP template compiler from user-supplied HTML; the compiled PHP file is included if not considered obsolete.
  • The exploit requires two sequential requests to trigger execution: the first compiles the malicious template, the second includes the compiled PHP. Correlate two requests to `valider_xml` with the same `var_url` value within a short time window.
  • CVE-2016-7998 can be chained with the CSRF in CVE-2016-7980 (ecrire/exec/valider_xml.php) to achieve unauthenticated RCE by tricking an admin; detect cross-origin or forged POST/GET requests to valider_xml.
  • ·The vulnerability is fixed in SPIP 3.1.3; detections and mitigations are only relevant for SPIP 3.1.2 and earlier.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.