Pour info Franck
---------- Forwarded message ---------- From: MustLive <[email protected]> Date: 2013/4/9 Subject: XSS and CS vulnerabilities in Dotclear To: [email protected] ** *Hello developers of Dotclear!* In January I've informed you about multiple vulnerabilities in Dotclear. You have lamerly ignored my letter and haven't fixed these holes. I've wrote you about Cross-Site Scripting and Content Spoofing vulnerabilities in flash-files in your engine. Dotclear has three swf files (according to your site http://dev.dotclear.org/2.0/browser/inc/swf), I suppose last version Dotclear 2.4.4 too. And these files are vulnerable to XSS and CS, so your engine has these holes. Now I'll give you more vulnerabilities in SWFUpload, in addition to previous XSS hole, which I'll be disclosing together with previous vulnerabilities in all three swf-files in Dotclear. These are new Cross-Site Scripting and Content Spoofing vulnerabilities in your engine. I've wrote about these holes already in March in my advisories concerning SWFUpload (http://seclists.org/fulldisclosure/2013/Mar/110 and http://seclists.org/fulldisclosure/2013/Mar/116). If you would fixed previous hole in SWFUpload in January, when I first informed you, then you also fixed these holes. *Content Spoofing (WASC-12):* http://site/inc/swf/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E It's possible to inject text, images and html (e.g. for link injection). *Cross-Site Scripting (WASC-08):* http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E Code will execute after click. It's strictly social XSS. The same as with previous holes, to these ones vulnerable are all versions of Dotclear - Dotclear 2.4.4 and previous versions. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua
_______________________________________________ Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
