Pour les sessions HTTP, je ne sais pas. Cela dit je pense que pour un
simple usage via clients riches (MarsEdit et consort), on ne doit pas en
avoir besoin.
2014-05-14 22:45 GMT+02:00 Bruno <dsls(a)morefnu.org>:
Concernant le 1/ xmlrpc est-il censé gérer des sessions http ? Sinon,
je
pense qu'on peut virer un bout de code inutile de setUser (le 1er test).
2014-05-14 21:54 GMT+02:00 Dotclear (contact) <contact(a)dotclear.net>:
> Bon, les gens, on a du boulot !
>
> ---------- Forwarded message ----------
> From: Egidio Romano <n0b0d13s(a)gmail.com>
> Date: 2014-05-14 21:20 GMT+02:00
> Subject: Dotclear <= 2.6.2 Multiple Security Vulnerabilities
> To: security(a)dotclear.net, contact(a)dotclear.net
>
>
> Hello,
>
> I discovered some security issues in the latest version of Dotclear, and
> very likely older versions are affected as well.
>
> 1) Authentication bypass in the XML/RPC interface
>
> This issue is due to the dcXmlRpc::setUser method
> (inc/core/class.dc.xmlrpc.php) not properly verifying the provided
password
> before being used in a call to the dcAuth::checkUser method. This could
be
> exploited to bypass the authentication mechanism by calling a XML/RPC
> method with a valid username and an empty password. Successful
exploitation
> of this issue requires the XML/RPC interface to be enabled.
>
> 2) Unrestricted file upload in the media manager
>
> This issue is due to the filemanager::isFileExclude method
> (inc/libs/clearbricks/filemanager/class.filemanager.php) not properly
> verifying the extension of uploaded files. This method just checks if the
> uploaded file name matches the "exclude_pattern" regular expression,
which
> by default is set to "/\.php$/i". This might not be enough to prevent PHP
> code execution, because other extensions (like .php5, .phtml, etc...)
might
> be used and handled as PHP script by the web server. Furthermore, this
> approach could be bypassed by uploading a file with multiple extensions
> (like evil.php.foo).
>
> 3) SQL injection in admin/categories.php
>
> Input passed via the $_POST['categories_order'] parameter to
> admin/categories.php is not properly verified before being passed to
> the dcBlog::updCategoryPosition method. This could be exploited to
conduct
> SQL injection attacks leveraging the UPDATE statement defined in
> the nestedTree::updatePosition method. Successful exploitation of this
> issue requires an account with the "manage categories" permission.
>
> [-] Proof of Concept
>
> Please fine attached two PoC scripts, which are intended to be used from
> the command line (CLI):
> - xmlrpc.php tries to exploit (1) and (2) together to upload a PHP file.
> - sqli.php tries to exploit (3) to fetch user ID and password of a super
> user.
>
> If you have any questions or concerns about the matter above, please do
not
> hesitate to contact me.
>
> Best regards,
> Egidio Romano
>
>
>
> --
> Dotclear Team
>
> --
> Dev mailing list - Dev(a)list.dotclear.org -
>
http://ml.dotclear.org/listinfo/dev
>
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev