Dotclear 2.6.2 Authentication Bypass

`-------------------------------------------------------------------------  
Dotclear <= 2.6.2 (XML-RPC Interface) Authentication Bypass Vulnerability  
-------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
http://dotclear.org/  
  
  
[-] Affected Versions:  
  
Version 2.6.2 and probably prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerable code is located in the dcXmlRpc::setUser() method  
(inc/core/class.dc.xmlrpc.php):  
  
262. /* Internal methods  
263. --------------------------------------------------- */  
264. private function setUser($user_id,$pwd)  
265. {  
266. if ($this->core->auth->userID() == $user_id) {  
267. return true;  
268. }  
269.   
270. if ($this->core->auth->checkUser($user_id,$pwd) !== true) {  
271. throw new Exception('Login error');  
272. }  
273.   
274. return true;  
  
The vulnerability exists because of the method not properly verifying  
the provided password  
before being used in a call to the dcAuth::checkUser() method at line  
270. This could be exploited  
to bypass the authentication mechanism by sending an XML-RPC request  
with a valid username and an  
empty password. Successful exploitation of this vulnerability requires  
the XML-RPC interface to  
be enabled (disabled by default).  
  
  
[-] Solution:  
  
Update to version 2.6.3.  
  
  
[-] Disclosure Timeline:  
  
[14/05/2014] - Vendor notified  
[15/05/2014] - Vendor response  
[16/05/2014] - Version 2.6.3 released:  
http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3  
[16/05/2014] - CVE number requested  
[19/05/2014] - CVE number assigned  
[21/05/2014] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2014-3781 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2014-05  
  
  
`