Bon, les gens, on a du boulot !
---------- Forwarded message ----------
From: Egidio Romano <n0b0d13s(a)gmail.com>
Date: 2014-05-14 21:20 GMT+02:00
Subject: Dotclear <= 2.6.2 Multiple Security Vulnerabilities
To: security(a)dotclear.net, contact(a)dotclear.net
Hello,
I discovered some security issues in the latest version of Dotclear, and
very likely older versions are affected as well.
1) Authentication bypass in the XML/RPC interface
This issue is due to the dcXmlRpc::setUser method
(inc/core/class.dc.xmlrpc.php) not properly verifying the provided password
before being used in a call to the dcAuth::checkUser method. This could be
exploited to bypass the authentication mechanism by calling a XML/RPC
method with a valid username and an empty password. Successful exploitation
of this issue requires the XML/RPC interface to be enabled.
2) Unrestricted file upload in the media manager
This issue is due to the filemanager::isFileExclude method
(inc/libs/clearbricks/filemanager/class.filemanager.php) not properly
verifying the extension of uploaded files. This method just checks if the
uploaded file name matches the "exclude_pattern" regular expression, which
by default is set to "/\.php$/i". This might not be enough to prevent PHP
code execution, because other extensions (like .php5, .phtml, etc...) might
be used and handled as PHP script by the web server. Furthermore, this
approach could be bypassed by uploading a file with multiple extensions
(like evil.php.foo).
3) SQL injection in admin/categories.php
Input passed via the $_POST['categories_order'] parameter to
admin/categories.php is not properly verified before being passed to
the dcBlog::updCategoryPosition method. This could be exploited to conduct
SQL injection attacks leveraging the UPDATE statement defined in
the nestedTree::updatePosition method. Successful exploitation of this
issue requires an account with the "manage categories" permission.
[-] Proof of Concept
Please fine attached two PoC scripts, which are intended to be used from
the command line (CLI):
- xmlrpc.php tries to exploit (1) and (2) together to upload a PHP file.
- sqli.php tries to exploit (3) to fetch user ID and password of a super
user.
If you have any questions or concerns about the matter above, please do not
hesitate to contact me.
Best regards,
Egidio Romano
--
Dotclear Team