dotclear 2.8.1 Cross Site Scripting

Type packetstorm
Reporter Tim Coen
Modified 2015-11-16T00:00:00


                                            `Security Advisory - Curesec Research Team  
1. Introduction  
Affected Product: dotclear 2.8.1  
Fixed in: 2.8.2  
Fixed Version Link:  
Vendor Website:  
Vulnerability Type: XSS  
Remote Exploitable: Yes  
Reported to vendor: 10/02/2015  
Disclosed to public: 11/13/2015  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
2. Overview  
Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N  
The Comment author name is echoed inside the value attribute of an input tag  
when viewing the list of all comments for that author. Quotes are not encoded,  
which allows for the addition of further attributes to the tag.  
The field is hidden, so onfocus or similar do not work, and the length of the  
name is limited, which makes an actual exploitation unlikely. Still, with older  
browser an attacker might try to inject a style attribute which may lead to  
3. Proof of Concept  
1. Create comment with author name  
" newattribute="value  
2. Visit  
3. The result will be:  
<input type="hidden" name="author" value="" newattribute="value" />  
4. Solution  
To mitigate this issue please upgrade at least to version 2.8.2:  
Please note that a newer version might already be available.  
5. Report Timeline  
10/02/2015 Informed Vendor  
10/25/2015 Vendor releases fix  
11/13/2015 Disclosed to public  
Blog Reference: