Gents,

Our CTO discovered two vulnerabilities in a well-known CMS product named
SPIP :
	- a local path disclosure (all SPIP version)
	- and an SQL injection (SPIP 1.9.2 branch)

Technical information were notified to the SPIP-Team for fixes
(responsible disclosure, with fixes included). SPIP is now patched and
latest version can be downloaded (see further).

If you want more 0days and more offensive tricks, check how to join us
through the end of this email ;)


*About the SPIP vulnerabilities*

== Background: SPIP is a publishing system for the Internet in which
great importance is attached to collaborative working, to multilingual
environments, and to simplicity of use for web authors.

== 1st Security Advisory: TEHTRIS-SA-2011-011
-- Title: SQL Injection in SPIP 1.9.2j
-- Affected Vendors: SPIP (www.spip.net)
-- Affected Product: SPIP
-- Versions: 1.9.2j
-- CVE-ID: linked to CVE-2008-5813

== 2nd Security Advisory: TEHTRIS-SA-2011-010
-- Title: Local Path Disclosure in all SPIP version
-- Affected Vendors: SPIP (www.spip.net)
-- Affected Product: SPIP
-- Versions: 1.9.2j, 2.0.15, 2.1.10

== Credits: Discovered by _Laurent Estieux_ CTO TEHTRI-Security

== Update your CMS: http://www.spip.net/en_article5265.html
== Vulnerability reference (in french) :
http://www.spip-contrib.net/SPIP-1-9-2k-2-0-16-2-1-11-et-3-0-0-beta-disponibles
== Other references:
http://www.spip.net/rubrique33.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5813


*About TEHTRI-security*

 [w] http://www.tehtri-security.com
 [m] web@tehtri-security.com
 [t] @tehtris


*Join us for live hacking sessions*

- OCT 2011 / Hack In The Box / Kuala Lumpur, Malaysia
 Training: "Hunting Web Attackers"
 [w] http://conference.hitb.org/hitbsecconf2011kul/?page_id=274
 => 0days included - don't use them at home, kids :)
 ==> Sorry: HITB Classroom already FULL

- DEC 2011 / Black Hat / Abu Dhabu, UAE
 Training: "Advanced PHP Hacking"
 [w]
https://www.blackhat.com/html/bh-ad-11/training/bh-ad-11-training_PHP.html
 => 0days included - don't use them at home, kids :)

- FEB 2012 / Hack In The Box GSEC / Mumbai, India
 Training "Strategic Cyber Attacks,Advanced Persistent Threats & Beyond"
 [w] http://gsec.hitb.org/?p=134
 => 0days included - don't use them at home, kids :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/