SPIP is prone to a remote PHP code-injection vulnerability.

An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system other attacks are also possible. Impact Level: Application/System

Vendor updates are available.

SPIP contains a flaw that is triggered when input passed via the 'connect' parameter is not properly sanitized before being used.

SPIP versions prior to 2.0.21, 2.1.16, and 3.0.3 are vulnerable. Other version may also affected.

Tries to execute the phpinfo() function by sending a HTTP POST request.

• http://www.securityfocus.com/bid/54292
• http://www.securitytracker.com/id/1029317
• http://www.spip.net/en

---

Updated on 2015-03-25