CVE-2017-9736

Published: 17 June 2017

SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

Priority

High

CVSS 3 base score: 9.8

Status

Package Release Status
spip
Launchpad, Ubuntu, Debian
Upstream
Released (3.1.4-3)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.1.4-3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.1.4-3)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])
Patches:
Upstream: https://core.spip.net/projects/spip/repository/revisions/23593
Upstream: https://core.spip.net/projects/spip/repository/revisions/23594

Notes

AuthorNote
seth-arnold
The patches look like this is a simple black-list functionality
but doesn't black-list $() or `` or <() or any other number of shell
metacharacters. I expect this is still broken and should use a whitelist
of a-z0-9_-.
msalvatore
"SPIP 3.0.x and earlier versions are not affected by this issue."

References

Bugs