dotclear 2.8.1 Cross Site Scripting

2015-11-16T00:00:00
ID PACKETSTORM:134353
Type packetstorm
Reporter Tim Coen
Modified 2015-11-16T00:00:00

Description

                                        
                                            `Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: dotclear 2.8.1  
Fixed in: 2.8.2  
Fixed Version Link: http://download.dotclear.org/latest.zip  
Vendor Website: http://dotclear.org/  
Vulnerability Type: XSS  
Remote Exploitable: Yes  
Reported to vendor: 10/02/2015  
Disclosed to public: 11/13/2015  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
CVSS  
  
Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N  
  
Description  
  
The Comment author name is echoed inside the value attribute of an input tag  
when viewing the list of all comments for that author. Quotes are not encoded,  
which allows for the addition of further attributes to the tag.  
  
The field is hidden, so onfocus or similar do not work, and the length of the  
name is limited, which makes an actual exploitation unlikely. Still, with older  
browser an attacker might try to inject a style attribute which may lead to  
XSS.  
  
3. Proof of Concept  
  
  
1. Create comment with author name  
" newattribute="value  
2. Visit  
http://localhost/dotclear/admin/comments.php?n=30&status=&sortby=comment_dt&order=desc&author=%22+newattribute%3D%22value  
3. The result will be:  
<input type="hidden" name="author" value="" newattribute="value" />  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 2.8.2:  
  
http://download.dotclear.org/latest.zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
10/02/2015 Informed Vendor  
10/25/2015 Vendor releases fix  
11/13/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/dotclear-281-XSS-94.html  
  
  
`