lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAET3BY-EUDGML53tp902VLVTM+op5cKahfZEkAqwak31k91Jzg@mail.gmail.com>
Date: Wed, 24 Aug 2016 16:32:12 +0700
From: gen type <gen0typ3.n@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Dotclear 2.9.1 Malicious File Upload Restriction Bypass

#############################################
Dotclear 2.9.1 Malicious File Upload Restriction Bypass
#############################################

[+] Software: https://dotclear.org/
[+] Author: Wiswat Aswamenakul
[+] Affected version: only tested on 2.9.1 (previous version might be
affected)
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9
[+] Description
Dotclear has a feature to upload files in Media Manager. However, by
default, there is a filtering to prevent authenticated users to upload
malicious files, such PHP code, to execute on the server. The default
filter is as following.
/\.(phps?|pht(ml)?|phl|s?html?|js)[0-9]*$/i (PCRE)
The above filter does not filter .htaccess file which allows
authenticated users to upload .htaccess file to the server which enable
PHP code execution on any file extension.


[+] Attack Reproduce

Note: in order for this exploit to work, it is required that apache
configuration allow the usage of .htaccess file on dotclear directory
(dotclear itself has .htaccess to restrict access to cache folder by
default)

1. Create htaccess file with following content
AddType application/x-httpd-php .xpl

2. Upload htaccess file through local proxy, such as burp suite, and
change file name to "..htaccess"

3. Create file "shell.xpl" with following content
<?php
phpinfo();
?>

4. Upload "shell.xpl" to dotclear

5. Open the uploaded shell.xpl

[+] Solution
Suggested solutions require re-design of Dotclear which might cause
significant time to implement. As a result, the author designed to
implement suggested interrim solution in Dotclear version 2.10 to fix this
vulnerability

[+] Timeline
- 12/07/2016 - Report vulnerability
- 12/07/2016 - Dotclear acknowledge the vulnerability
- 12/07/2016 - Fix is available in Dotclear trac
- 13/08/2016 - Dotclear 2.10 is avaible for download
- 24/08/2016 - Public Disclosure

Thank you Dotclear authors for swift response and taking security issues
importantly

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ