Dotclear 2.9.1 Directory Download

`######################################  
Dotclear 2.9.1 Directory Download Vulnerability  
######################################  
  
[+] Software: https://dotclear.org/  
[+] Author: Wiswat Aswamenakul  
[+] Affected version: only tested on 2.9.1 (previous version might be  
affected)  
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9  
[+] Description  
Authenticated users with media manager access permission are allowed to  
download media directories in zip file format. The directory path to be  
zipped is not properly verified. As a result, it is possible for  
authenticated users with media manager access permission to download all  
directories readable by web server and located in the same traversal  
path as dotclear in zipped format. For example, if dotclear is located  
at /var/www/html/dotclear/ following directories can be downloaded if  
web server has read permission.  
- /var/  
- /var/www/  
- /var/www/html/  
The authenticated users could have access to source code of dotclear,  
including config.php, and source code of other web application located  
under the same document root.  
  
  
[+] Attack Reproduce  
  
Following url will download source code of dotclear, including  
config.php which has username and password to connect database.  
http://example.com/dotclear/admin/media.php?popup=0&select=0&d=./../&zipdl=1  
  
[+] Solution  
Dotclear has released version 2.10 to fix this vulnerability  
  
[+] Timeline  
- 11/07/2016 - Report vulnerability  
- 12/07/2016 - Dotclear acknowledge the vulnerability  
- 15/07/2016 - Fix is available in Dotclear trac  
- 13/08/2016 - Dotclear 2.10 is avaible for download  
- 24/08/2016 - Public Disclosure  
  
Thank you Dotclear authors for swift response and taking security issues  
importantly  
  
  
`