Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormEgiXPACKETSTORM:126768
HistoryMay 22, 2014 - 12:00 a.m.

Dotclear 2.6.2 SQL Injection

2014-05-2200:00:00
EgiX
packetstormsecurity.com
26

0.002 Low

EPSS

Percentile

54.5%

JSON
`--------------------------------------------------------------  
Dotclear <= 2.6.2 (categories.php) SQL Injection Vulnerability  
--------------------------------------------------------------  
  
  
[-] Software Link:  
  
http://dotclear.org/  
  
  
[-] Affected Versions:  
  
Version 2.6.2 and probably prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerable code is located in /admin/categories.php:  
  
70. # Update order  
71. if (!empty($_POST['save_order']) && !empty($_POST['categories_order'])) {  
72. $categories = json_decode($_POST['categories_order']);  
73.   
74. foreach ($categories as $category) {  
75. if (!empty($category->item_id)) {  
76. $core->blog->updCategoryPosition($category->item_id, $category->left, $category->right);  
77. }  
78. }  
79.   
80. dcPage::addSuccessNotice(__('Categories have been successfully reordered.'));  
81. http::redirect('categories.php');  
82. }  
  
User input passed through the $_POST['categories_order'] parameter is not properly sanitized before being used in a  
call to the dcBlog::updCategoryPosition() method at line 76. This could be exploited to conduct SQL injection attacks  
leveraging the UPDATE statement defined in the nestedTree::updatePosition() method. Successful exploitation of this  
vulnerability requires an account with the “manage categories” permission.  
  
  
[-] Solution:  
  
Update to version 2.6.3.  
  
  
[-] Disclosure Timeline:  
  
[14/05/2014] - Vendor notified  
[15/05/2014] - Vendor response  
[16/05/2014] - Version 2.6.3 released: http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3  
[16/05/2014] - CVE number requested  
[19/05/2014] - CVE number assigned  
[21/05/2014] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2014-3783 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2014-07  
  
  
`

Related

prion 1
cve 1
securityvulns 2
ubuntucve 1
zdt 1
openvas 1
prion
prion
Sql injection
2014-05-22 15:13:00
cve
cve
CVE-2014-3783
2014-05-22 15:13:00
securityvulns
securityvulns
[KIS-2014-07] Dotclear &lt;= 2.6.2 &#40;categories.php&#41; SQL Injection Vulnerability
2014-06-14 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-06-14 00:00:00
ubuntucve
ubuntucve
CVE-2014-3783
2014-05-22 00:00:00
zdt
zdt
Dotclear 2.6.2 Multiple Vulnerability
2014-05-25 00:00:00
openvas
openvas
Dotclear Multiple Vulnerabilities
2014-06-09 00:00:00

0.002 Low

EPSS

Percentile

54.5%

JSON
Related for PACKETSTORM:126768
prion1cve1securityvulns2ubuntucve1zdt1openvas1