C'est sur la 2.6, mais je le porte sur la default :)
2014/1/20 Franck Paul <[email protected]> > Super, tu fais ça sur la 2.6 steuplé ? > > > 2014/1/20 Bruno <[email protected]> > > > Je prends, commit dans les 5 minutes. > > > > -- > > Bruno > > > > > > 2014/1/20 Franck Paul <[email protected]> > > > > > Et du coup ça serait pas mal d'inclure un fix dans la 2.6.2 à sortir > ces > > > jours… > > > > > > > > > 2014/1/20 Franck Paul <[email protected]> > > > > > > > Tiens, on dirait qu'il faudrait un peu blinder du côté des > > billets/pages > > > > protégés par mot de passe :-p > > > > > > > > ---------- Forwarded message ---------- > > > > From: Charlie Briggs <[email protected]> > > > > Date: 2014/1/20 > > > > Subject: Dotclear PHP Object Injection > Potential Remote Code > > Execution > > > > To: [email protected] > > > > > > > > > > > > Hi there, > > > > > > > > > > > > > > > > I recently came across Dotclear and decided to briefly look over its > > > > security. > > > > > > > > > > > > > > > > After doing some code review and grepping for common PHP pitfalls – > > calls > > > > to exec, eval, system, passthru, preg_replace with the e modifier, > > > > unescaped queries, calls to move_uploaded_file with no verification, > > and > > > so > > > > on, I found that in inc/public/lib.urlhandlers.php and > > > > plugins/pages/_public.php there is a call to unserialize() which > takes > > > > direct user input via the cookies. For this call to go ahead, you > need > > to > > > > access a password-protected post/page. > > > > > > > > > > > > > > > > # Password protected entry > > > > > > > > if ($post_password != '' && !$_ctx->preview) > > > > > > > > { > > > > > > > > # Get passwords cookie > > > > > > > > if (isset($_COOKIE['dc_passwd'])) { > > > > > > > > $pwd_cookie = > > > > unserialize($_COOKIE['dc_passwd']); > > > > > > > > } else { > > > > > > > > $pwd_cookie = array(); > > > > > > > > } > > > > > > > > ..... > > > > > > > > } > > > > > > > > > > > > > > > > Setting the dc_passwd cookie to a serialized object which does not > > exist, > > > > O:4:"Test":0:{}, throws the PHP error “Cannot use object of type > > > > __PHP_Incomplete_Class as array”. For a code execution > > proof-of-concept, > > > if > > > > we create the class “Test” and ensure it is loaded before the > > > unserialize() > > > > runs: > > > > > > > > > > > > > > > > class Test > > > > > > > > { > > > > > > > > function __wakeup() > > > > > > > > { > > > > > > > > echo "Hello world"; > > > > > > > > } > > > > > > > > } > > > > > > > > > > > > > > > > The following output is given: > > > > > > > > Hello world > > > > > > > > Fatal error: Cannot use object of type Test as array in > > > > /var/www/dotclear/dotclear/inc/public/lib.urlhandlers.php on line 389 > > > > > > > > > > > > > > > > I haven’t gone through all the loaded classes to see if any > interesting > > > > code execution can occur off-the-bat; however, as plugins can be > > loaded, > > > > it’s possible that a plugin could cause this core vulnerability to > > become > > > > exploitable. > > > > > > > > > > > > > > > > I have rated the overall risk for this as medium, as it is > > > > context-dependant – i.e. it only works on a password-protected post. > > > > > > > > > > > > > > > > The recommended fix for this would be to use safe methods of data > > > > exchange, such as PHP’s json_encode() / json_decode(). > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > Charlie Briggs > > > > > > > > > > > > > > > > Security Consultant > > > > > > > > MWR InfoSecurity > > > > > > > > > > > > > > > > Mobile: +44 (0) 7584 558 782 > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Franck > > > > > > > > > > > > > > > > -- > > > Franck > > > -- > > > Dev mailing list - [email protected] - > > > http://ml.dotclear.org/listinfo/dev > > > > > -- > > Dev mailing list - [email protected] - > > http://ml.dotclear.org/listinfo/dev > > > > > > -- > Franck > -- > Dev mailing list - [email protected] - > http://ml.dotclear.org/listinfo/dev > -- Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
