Dotclear 2.9.1 SSRF / XSPA

2016-08-25T00:00:00
ID PACKETSTORM:138501
Type packetstorm
Reporter Wiswat Aswamenakul
Modified 2016-08-25T00:00:00

Description

                                        
                                            `#################################  
Dotclear 2.9.1 SSRF/XSPA Vulnerability  
#################################  
  
[+] Software: https://dotclear.org/  
[+] Author: Wiswat Aswamenakul  
[+] Affected version: only tested on 2.9.1 (previous version might be  
affected)  
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9  
[+] Description  
Dotclear has a feature to import blog content through RSS feed.  
Authenticated users could have access to this feature. The feature has no  
restrict to access private network, such as, 10.0.0.1/8, 172.16.0.0/12,  
192.168.0.0/16. This allows authenticated users to use RSS import to scan  
port of internal network.  
  
[+] Attack Reproduce  
  
By putting "http://192.168.1.132:22/" in the RSS URL input field. The  
response display error message saying " Status code line invalid:  
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7" where my 192.168.1.132 has SSH  
opened on port 22.  
  
[+] Solution  
Dotclear has released version 2.10 to fix this vulnerability  
  
[+] Timeline  
- 08/07/2016 - Report vulnerability  
- 09/07/2016 - Dotclear acknowledge the vulnerability  
- 17/07/2016 - Fix is available in Dotclear trac  
- 13/08/2016 - Dotclear 2.10 is avaible for download  
- 24/08/2016 - Public Disclosure  
  
Thank you Dotclear authors for swift response and taking security issues  
importantly  
  
  
`