lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 24 Aug 2016 16:31:28 +0700
From: gen type <gen0typ3.n@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Dotclear 2.9.1 Directory Download Vulnerability

######################################
Dotclear 2.9.1 Directory Download Vulnerability
######################################

[+] Software: https://dotclear.org/
[+] Author: Wiswat Aswamenakul
[+] Affected version: only tested on 2.9.1 (previous version might be
affected)
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9
[+] Description
Authenticated users with media manager access permission are allowed to
download media directories in zip file format. The directory path to be
zipped is not properly verified. As a result, it is possible for
authenticated users with media manager access permission to download all
directories readable by web server and located in the same traversal
path as dotclear in zipped format. For example, if dotclear is located
at /var/www/html/dotclear/ following directories can be downloaded if
web server has read permission.
- /var/
- /var/www/
- /var/www/html/
The authenticated users could have access to source code of dotclear,
including config.php, and source code of other web application located
under the same document root.


[+] Attack Reproduce

Following url will download source code of dotclear, including
config.php which has username and password to connect database.
http://example.com/dotclear/admin/media.php?popup=0&select=0&d=./../&zipdl=1

[+] Solution
Dotclear has released version 2.10 to fix this vulnerability

[+] Timeline
- 11/07/2016 - Report vulnerability
- 12/07/2016 - Dotclear acknowledge the vulnerability
- 15/07/2016 - Fix is available in Dotclear trac
- 13/08/2016 - Dotclear 2.10 is avaible for download
- 24/08/2016 - Public Disclosure

Thank you Dotclear authors for swift response and taking security issues
importantly

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ