Hi guys!
You are welcome!.
I was trying to help you yet in 14th of January :-). But it looks like you
haven't received my letter (I always deal with not serious people who don't
receive my letters due to their lame antispam filters, but it's their own
problem and everyone must do everything to receive letters from other people,
make sure that antispam filters work correctly - remove spam, but left normal
letters, especially allow security related letters). This is strange, that you
haven't received my letter from 14th of June, but received letter from 9th of
April. Exactly because I've not received answer from my letter from 10.04, I've
send new letter yesterday from another my e-mail (from gmail), which I was using
for many years specially for such cases, when I see people not received my
letters (with no responses or there are "returns" that filters don't allow
letters from my e-mail, to bypass such lame filters). This letter I'm sending
from my gmail account for sure.
Because I was planning to disclose this letter this week, since almost
three months passed since informing you in January, so I've reminded
you three days ago. First I planned to disclose it in Tuesday evening, but
because it turned out that you have fixed (and badly) only holes in
SWFUpload, then I postponed it to Wednesday, then to Thursday and now to Friday
evening. But I'm planning to do it at last this evening (and will write to
security lists tomorrow), so you need to fix today these holes in swf
already ;-).
After I saw that you have fixed only holes in SWFUpload and mentioned only
about it, I begun thinking that you haven't received my letter in January.
And you became aware about holes SWFUpload related to Dotclear after my
advisories in November and March. But in that my letter I wrote about much more
holes in your engine (in all three swf-files).
I'm resending my January's letter bellow. Note that in letter I've not
wrote much details of holes in player_mp3.swf to make the letter more laconical.
Anyway holes are similar to player_flv.swf - all CS holes are similar for
both these flash applications and there are no XSS holes in mp3 player. Here are
details for player_mp3.swf, so it'll be more obvious for you (xml and txt config
files are similar for both these flashes).
Content Spoofing (WASC-12):
Certainly give me any URL of web site on Dotclear 2.5, so I can check your
protection against attacks on swf-files. Note that your protection, on which you
referenced (that you made it in version 2.5), is only for Apache and not
for other web servers. As I've checked yesterday, you have used
.htaccess to block access to files (including swf files). But .htaccess works
only in Apache and on nginx and other web servers your engine will not be
protected, and all XSS and CS holes in these three flashes can be used for
attacks.
----- Original Message -----
Sent: Monday, January 14, 2013 12:57 AM
Subject: XSS and Content Spoofing vulnerabilities in
Dotclear
Hello developers of Dotclear!
I want to warn you about Cross-Site Scripting
and Content Spoofing vulnerabilities in Dotclear. After I've wrote
about Magazeen theme for WordPress and Dotclear (which was using
vulnerable TimThumb), here are new vulnerabilities related to
Dotclear.
Your engine has three swf files (according to your site
http://dev.dotclear.org/2.0/browser/inc/swf),
I suppose last version Dotclear 2.4.4 too. And these file are vulnerable to
XSS and CS, so your engine has these holes.
File swfupload.swf it's Swfupload and it has XSS
vulnerability. I've wrote about swfupload.swf in different engines,
including in Dotclear, at my site (
http://websecurity.com.ua/6144/) in
2012.
Cross-Site Scripting (WASC-08):
Cross-Site Scripting (WASC-08):
Content Spoofing (WASC-12):
Here are all holes in FLV Player.
Content Spoofing (WASC-12):
XSS (WASC-08):
File xss.xml
<?xml version="1.0" encoding="UTF-8"?>
<config>
<param
name="onclick" value="javascript:alert(document.cookie)" />
<param
name="ondoubleclick" value="javascript:alert(document.cookie)"
/>
</config>
File xss.txt
onclick=javascript:alert(document.cookie)
ondoubleclick=javascript:alert(document.cookie)
The code will execute after a click (or double click). It's strictly social
XSS.
File player_flv.swf it's some mp3 player, but it has similar holes as FLV
Player (if not all, then many of above-mentioned holes).
Content Spoofing (WASC-12):
Vulnerable are all versions of Dotclear - Dotclear 2.4.4 and previous
versions.
----- Original Message -----
Sent: Friday, April 12, 2013 8:22
AM
Subject: Re: XSS and CS vulnerabilities
in Dotclear
Hi,
Of course we
will not leave any vulnerabilities in our script, as far as possible, and we
would like to know exactly what are the other holes you talked about (in two
other swf-files). Could you explain us what they are ?
We have also
looked carefully in our two different mail archive and cannot found any mail
from you on last 14 january 2013. We heard about this problems in swfupload by
another way. If it was the case we, as usual, thanks you in a way or another,
be sure about this.
Thanks a lot
for helping us.