Security and SPIP

Description

SPIP is an open source content management system written in PHP. It was originally designed to use a MySQL, but now supports a number of SQL databases including PostgreSQL and SQLite. Like most software systems, it sometimes has bugs and flaws and, like many web-based systems, these can sometimes lead to exploitable security holes. This post describes the latest security problem in SPIP (which resulted in the released of SPIP 2.0.9 ) and how to help reduce the risk of your SPIP sites being hacked using similar flaws in the future.

A coincidence of vulnerabilities

On the 5th of August, one of our clients forwarded me a notification that Google had detected malware on their web-site. After a quick look at the site, I discovered that someone had injected an into the site — the title of a news item, to be precise. I had a look in the administration interface and found that the title of that news item actually did contain the code. At first I thought that this was simply a matter of some attacker guessing or stealing a password, but there were no FTP accesses during that period and the only SPIP users had strong passwords. This was when I started to get worried.

I took a backup of the whole site over FTP and had a quick , but couldn’t find anything that had changed appreciably. Anything, that is, other than the directory. Somehow, the site had been switched from using MySQL to SQlite2. Asking around the office made it clear that none of us would do something so strange (storing SQLite databases in the web-root is a pretty strange thing to do in the first place!) so I was stumped, especially because this SQLite database was full of the correct content, ignoring extraneous s.

...

Original URL

http://passingcuriosity.com/2009/security-and-spip/

http://passingcuriosity.com/2009/security-and-spip/