[Dotclear Dev] Fwd: Dotclear <= 2.6.2 Multiple Security Vulnerabilities

Bon, les gens, on a du boulot ! ---------- Forwarded message ---------- From: Egidio Romano <n0b0d13s(a)gmail.com&gt; Date: 2014-05-14 21:20 GMT+02:00 Subject: Dotclear <= 2.6.2 Multiple Security Vulnerabilities To: security(a)dotclear.net, contact(a)dotclear.net Hello, I discovered some security issues in the latest version of Dotclear, and very likely older versions are affected as well. 1) Authentication bypass in the XML/RPC interface This issue is due to the dcXmlRpc::setUser method (inc/core/class.dc.xmlrpc.php) not properly verifying the provided password before being used in a call to the dcAuth::checkUser method. This could be exploited to bypass the authentication mechanism by calling a XML/RPC method with a valid username and an empty password. Successful exploitation of this issue requires the XML/RPC interface to be enabled. 2) Unrestricted file upload in the media manager This issue is due to the filemanager::isFileExclude method (inc/libs/clearbricks/filemanager/class.filemanager.php) not properly verifying the extension of uploaded files. This method just checks if the uploaded file name matches the "exclude_pattern" regular expression, which by default is set to "/\.php$/i". This might not be enough to prevent PHP code execution, because other extensions (like .php5, .phtml, etc...) might be used and handled as PHP script by the web server. Furthermore, this approach could be bypassed by uploading a file with multiple extensions (like evil.php.foo). 3) SQL injection in admin/categories.php Input passed via the $_POST['categories_order'] parameter to admin/categories.php is not properly verified before being passed to the dcBlog::updCategoryPosition method. This could be exploited to conduct SQL injection attacks leveraging the UPDATE statement defined in the nestedTree::updatePosition method. Successful exploitation of this issue requires an account with the "manage categories" permission. [-] Proof of Concept Please fine attached two PoC scripts, which are intended to be used from the command line (CLI): - xmlrpc.php tries to exploit (1) and (2) together to upload a PHP file. - sqli.php tries to exploit (3) to fetch user ID and password of a super user. If you have any questions or concerns about the matter above, please do not hesitate to contact me. Best regards, Egidio Romano -- Dotclear Team