| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Aug 2016 16:32:52 +0700 From: gen type <gen0typ3.n@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Dotclear 2.9.1 SSRF/XSPA Vulnerability ################################# Dotclear 2.9.1 SSRF/XSPA Vulnerability ################################# [+] Software: https://dotclear.org/ [+] Author: Wiswat Aswamenakul [+] Affected version: only tested on 2.9.1 (previous version might be affected) [+] Platform: tested on Ubuntu 14.04, PHP 5.5.9 [+] Description Dotclear has a feature to import blog content through RSS feed. Authenticated users could have access to this feature. The feature has no restrict to access private network, such as, 10.0.0.1/8, 172.16.0.0/12, 192.168.0.0/16. This allows authenticated users to use RSS import to scan port of internal network. [+] Attack Reproduce By putting "http://192.168.1.132:22/" in the RSS URL input field. The response display error message saying " Status code line invalid: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7" where my 192.168.1.132 has SSH opened on port 22. [+] Solution Dotclear has released version 2.10 to fix this vulnerability [+] Timeline - 08/07/2016 - Report vulnerability - 09/07/2016 - Dotclear acknowledge the vulnerability - 17/07/2016 - Fix is available in Dotclear trac - 13/08/2016 - Dotclear 2.10 is avaible for download - 24/08/2016 - Public Disclosure Thank you Dotclear authors for swift response and taking security issues importantly _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists