Get a free application, infrastructure and malware scan report - Scan Your Website Now

CVE-2024-8517 – Unauthenticated Remote Code Execution in SPIP

Posted DateSeptember 13, 2024
Posted Time 3   min Read

A critical security flaw has been discovered in SPIP, a popular open-source content management system (CMS). This flaw, identified as CVE-2024-8517, stems from a command injection issue in the BigUp plugin. The vulnerability allows attackers to execute arbitrary OS commands remotely and without authentication, simply by sending a malicious multipart file upload HTTP request.

This blog will explore the details of this vulnerability, its potential impacts, and the essential steps for mitigation.

CVE-2024-8517 – SPIP BigUp Plugin – RCE

Risk Analysis

Severity: High
CVSSv3.1: Base Score:9.8 Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

Exploit available in public: No
Exploit complexity: Low

CVE-2024-8517 arises from improper handling of user inputs in the lister_fichiers_par_champs function.  This function fails to adequately sanitize data from file uploads, particularly when the bigup_retrouver_fichiers parameter is set to 1. As a result, attackers can craft malicious HTTP requests containing harmful PHP code, which, when processed, executes arbitrary commands on the server.

The vulnerability affects all versions of SPIP before 4.3.2, 4.2.16, and 4.1.18.

One of the most alarming aspects of this vulnerability is its unauthenticated nature. Attackers do not need any special privileges or access to exploit it; they can perform the attack by simply sending a specially crafted HTTP request to the affected SPIP server which increases more chances of exploitation.

Impact

The vulnerability allows remote code execution, potentially leading to:

  1. Unauthorized Access to Sensitive Data: Attackers could gain access to confidential information stored on the server.
  2. Modification or Deletion of Critical Files: The integrity of critical system files could be compromised.
  3. Installation of Malware: Attackers may install malicious software or backdoors on the server.
  4. Lateral Movement: The compromised system could serve as a foothold for further attacks within the network.
  5. System as a Launching Point: The server could be used as a base for additional attacks targeting other systems.

While it has not yet been observed in the wild, the publication of a proof-of-concept (PoC) exploit increases the likelihood of it being used in real-world attacks.

Mitigation Strategies

To mitigate the risks associated with CVE-2024-8517, it is crucial to update to the latest patched versions: 4.3.2 or later for the 4.3.x branch, 4.2.16 or later for the 4.2.x branch, and 4.1.18 or later for the 4.1.x branch.

Also consider implementing the following additional mitigations:

  1. Restrict Access: Limit the file upload functionality to trusted users only.
  2. Enhance Input Validation: Apply strict input validation and sanitization for all file uploads.
  3. Monitor Logs: Regularly check system logs for any unusual activity related to file uploads or command execution.
  4. Conduct a Security Audit: Perform a thorough security audit of affected systems to ensure no compromise has occurred.
  5. Strengthen Security Practices: Review and enhance overall security measures, especially those related to file uploads and command execution prevention.
  6. Deploy a WAF: Utilize a Web Application Firewall (WAF) to filter potentially malicious requests.

AppTrana Coverage on RCE Vulnerabilities

With AppTrana WAAP, our customers are shielded from RCE exploits, including CVE-2024–8417, right from Day 0.

The screenshots illustrate AppTrana WAAP’s capability to effectively block this vulnerability. When malicious requests are intercepted by Burp, WAAP responds promptly with a firm 406-status code.

1)name= “HELLO[AB’.system(‘id’).die().’CD]”

CVE-2024-8517 - AppTrana WAAP Coverage - command injection PoC using the payload HELLO[AB'.system('id').die().'CD]

2) name=”RCE’-system(‘id’)-‘[ABCD]”

command injection PoC using the payload ) name="RCE'-system('id')-'[ABCD]"

3) name=”RCE’-sprintf(system(‘id’),die())-‘[ABCD]”

command injection PoC using the payload name="RCE'-sprintf(system('id'),die())-'[ABCD]"

4) name:RCE[‘.system(‘$cmd’).die().’][][ll]=@foo.txt

Command injection PoC - AppTrana WAAP Coverage - CVE-2024-8517

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

 

Pavithra Hanchagaiah

Passionate InfoSec Pro with 18+ yrs experience in R&D, Project Mgmt, & Tech Leadership. Head of Security Research at Indusface's AppTrana, leading teams delivering WAS & WAF mechanisms. Former Manager at TrendMicro, leading cross-functional teams in IPS/IDS signature development. Expertise in team leadership, process improvement, and issue analysis

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

CVE-2024-47076: Critical Linux RCE in CUPS
RCE Zero Day Vulnerabilities in CUPS Put Linux Systems at Risk

CUPS RCE Vulnerabilities (CVE-2024-47076, CVE-2024-47177, CVE-2024-47175, CVE-2024-47176) put systems at risk of remote attacks through malicious printers.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!