SPIP Referer Spam Plugin Unauthenticated SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the SPIP referer_spam plugin, affecting versions prior to 1.3.0. The vulnerability resides in the referer_spam_ajouter and referer_spam_supprimer action handlers, which directly interpolate the 'url' parameter from GET requests into SQL LIKE clauses without proper validation or parameterization. This oversight allows remote attackers to execute arbitrary SQL queries. Additionally, the endpoints lack authorization checks and do not utilize SPIP's action protection functions, such as securiser_action(), further exacerbating the vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary SQL query execution, which could lead to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, send a GET request to the SPIP site with the 'url' parameter included. The referer_spam_ajouter or referer_spam_supprimer action will be triggered, allowing the injected SQL to be executed. This can be done without any authentication, taking advantage of the missing authorization checks and action protections.

Remediation

Users are advised to update the SPIP referer_spam plugin to version 1.3.0 or later.