Administrator vulnerability in SIPS

I was recently informed about a serious vulnerability in SIPS which could allow an attacker to gain administrator status on any SIPS site. I take this very seriously, and I strongly encourage all users to take action to prevent compromise.

What to do

Several measures can be taken to fix the security hole. Fortunately, it need not be much of a hassle.

Either, upgrade to SIPS 0.3.1

This was released recently and includes the fix (among other things). You can get it here.

...Or, replace your existing

The problem is located in the file, which is inside the sipssys/code directory. If your existing SIPS version is 0.2.4 or newer, you should be able to just replace it with this one (remember to rename it to

What it is

Much care must be taken when authoring any web based system, because you don't know your users enough to trust the data they send to be what you expect. In this case, it is possible to exploit the function that writes to the files that contain various data for each user. Each line in these files is a seperate value. As an example, one of the lines contains the name of the theme this user wishes to use. By creating a local variant of the HTML form used to change this value, a user can gain administrator status. This is done by changing the form so that it tells SIPS to change to a theme name which begins with the name of a real theme, but then has a line feed followed by "Status::admin". The latter is the magic value that informs SIPS about the administrator status of the user. The vulnerability is of course that SIPS doesn't check for line feeds, and simply dumps the raw value to the user file. The lack of checking is due to a naive belief that data will only originate from actual, unaltered SIPS forms.

The fix causes any data to be checked for line feeds before it is written. I encourage users to go look for similar issues in other parts of SIPS, and if you find any, please provide me with the needed information so that I have time to provide a fix "before the sh*t hits the fan" :)

Haakon Nilsen
Last modified: Sat Feb 9 21:20:19 CET 2002