Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Dotclear 2.9.1 Malicious File Upload Restriction Bypass

From: gen type <gen0typ3.n () gmail com>
Date: Wed, 24 Aug 2016 16:32:12 +0700
#############################################
Dotclear 2.9.1 Malicious File Upload Restriction Bypass
#############################################

[+] Software: https://dotclear.org/
[+] Author: Wiswat Aswamenakul
[+] Affected version: only tested on 2.9.1 (previous version might be
affected)
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9
[+] Description
Dotclear has a feature to upload files in Media Manager. However, by
default, there is a filtering to prevent authenticated users to upload
malicious files, such PHP code, to execute on the server. The default
filter is as following.
/\.(phps?|pht(ml)?|phl|s?html?|js)[0-9]*$/i (PCRE)
The above filter does not filter .htaccess file which allows
authenticated users to upload .htaccess file to the server which enable
PHP code execution on any file extension.


[+] Attack Reproduce

Note: in order for this exploit to work, it is required that apache
configuration allow the usage of .htaccess file on dotclear directory
(dotclear itself has .htaccess to restrict access to cache folder by
default)

1. Create htaccess file with following content
AddType application/x-httpd-php .xpl

2. Upload htaccess file through local proxy, such as burp suite, and
change file name to "..htaccess"

3. Create file "shell.xpl" with following content
<?php
phpinfo();
?>

4. Upload "shell.xpl" to dotclear

5. Open the uploaded shell.xpl

[+] Solution
Suggested solutions require re-design of Dotclear which might cause
significant time to implement. As a result, the author designed to
implement suggested interrim solution in Dotclear version 2.10 to fix this
vulnerability

[+] Timeline
- 12/07/2016 - Report vulnerability
- 12/07/2016 - Dotclear acknowledge the vulnerability
- 12/07/2016 - Fix is available in Dotclear trac
- 13/08/2016 - Dotclear 2.10 is avaible for download
- 24/08/2016 - Public Disclosure

Thank you Dotclear authors for swift response and taking security issues
importantly

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: