Concernant le 1/ xmlrpc est-il censé gérer des sessions http ? Sinon, je pense qu'on peut virer un bout de code inutile de setUser (le 1er test).
2014-05-14 21:54 GMT+02:00 Dotclear (contact) <[email protected]>: > Bon, les gens, on a du boulot ! > > ---------- Forwarded message ---------- > From: Egidio Romano <[email protected]> > Date: 2014-05-14 21:20 GMT+02:00 > Subject: Dotclear <= 2.6.2 Multiple Security Vulnerabilities > To: [email protected], [email protected] > > > Hello, > > I discovered some security issues in the latest version of Dotclear, and > very likely older versions are affected as well. > > 1) Authentication bypass in the XML/RPC interface > > This issue is due to the dcXmlRpc::setUser method > (inc/core/class.dc.xmlrpc.php) not properly verifying the provided password > before being used in a call to the dcAuth::checkUser method. This could be > exploited to bypass the authentication mechanism by calling a XML/RPC > method with a valid username and an empty password. Successful exploitation > of this issue requires the XML/RPC interface to be enabled. > > 2) Unrestricted file upload in the media manager > > This issue is due to the filemanager::isFileExclude method > (inc/libs/clearbricks/filemanager/class.filemanager.php) not properly > verifying the extension of uploaded files. This method just checks if the > uploaded file name matches the "exclude_pattern" regular expression, which > by default is set to "/\.php$/i". This might not be enough to prevent PHP > code execution, because other extensions (like .php5, .phtml, etc...) might > be used and handled as PHP script by the web server. Furthermore, this > approach could be bypassed by uploading a file with multiple extensions > (like evil.php.foo). > > 3) SQL injection in admin/categories.php > > Input passed via the $_POST['categories_order'] parameter to > admin/categories.php is not properly verified before being passed to > the dcBlog::updCategoryPosition method. This could be exploited to conduct > SQL injection attacks leveraging the UPDATE statement defined in > the nestedTree::updatePosition method. Successful exploitation of this > issue requires an account with the "manage categories" permission. > > [-] Proof of Concept > > Please fine attached two PoC scripts, which are intended to be used from > the command line (CLI): > - xmlrpc.php tries to exploit (1) and (2) together to upload a PHP file. > - sqli.php tries to exploit (3) to fetch user ID and password of a super > user. > > If you have any questions or concerns about the matter above, please do not > hesitate to contact me. > > Best regards, > Egidio Romano > > > > -- > Dotclear Team > > -- > Dev mailing list - [email protected] - > http://ml.dotclear.org/listinfo/dev > -- Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
