| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Aug 2016 16:32:12 +0700 From: gen type <gen0typ3.n@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Dotclear 2.9.1 Malicious File Upload Restriction Bypass ############################################# Dotclear 2.9.1 Malicious File Upload Restriction Bypass ############################################# [+] Software: https://dotclear.org/ [+] Author: Wiswat Aswamenakul [+] Affected version: only tested on 2.9.1 (previous version might be affected) [+] Platform: tested on Ubuntu 14.04, PHP 5.5.9 [+] Description Dotclear has a feature to upload files in Media Manager. However, by default, there is a filtering to prevent authenticated users to upload malicious files, such PHP code, to execute on the server. The default filter is as following. /\.(phps?|pht(ml)?|phl|s?html?|js)[0-9]*$/i (PCRE) The above filter does not filter .htaccess file which allows authenticated users to upload .htaccess file to the server which enable PHP code execution on any file extension. [+] Attack Reproduce Note: in order for this exploit to work, it is required that apache configuration allow the usage of .htaccess file on dotclear directory (dotclear itself has .htaccess to restrict access to cache folder by default) 1. Create htaccess file with following content AddType application/x-httpd-php .xpl 2. Upload htaccess file through local proxy, such as burp suite, and change file name to "..htaccess" 3. Create file "shell.xpl" with following content <?php phpinfo(); ?> 4. Upload "shell.xpl" to dotclear 5. Open the uploaded shell.xpl [+] Solution Suggested solutions require re-design of Dotclear which might cause significant time to implement. As a result, the author designed to implement suggested interrim solution in Dotclear version 2.10 to fix this vulnerability [+] Timeline - 12/07/2016 - Report vulnerability - 12/07/2016 - Dotclear acknowledge the vulnerability - 12/07/2016 - Fix is available in Dotclear trac - 13/08/2016 - Dotclear 2.10 is avaible for download - 24/08/2016 - Public Disclosure Thank you Dotclear authors for swift response and taking security issues importantly _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists