DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURITYVULNS:DOC:30863", "bulletinFamily": "software", "title": "[KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability", "description": "\r\n\r\n------------------------------------------------------------------------\r\nDotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability\r\n------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://dotclear.org/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 2.6.2 and probably prior versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerability exists because of the filemanager::isFileExclude() method not properly verifying the extension of\r\nuploaded files. This method just checks whether the uploaded file name matches the \u201cexclude_pattern\u201d regular expression,\r\nwhich by default is set to \u201c/\.php$/i\u201d. This could be exploited to execute arbitrary PHP code by uploading a file with\r\nmultiple extensions or other extensions (like .php5 or .phtml) which might be handled as PHP scripts. Successful\r\nexploitation of this vulnerability requires an account with permissions to manage media items.\r\n\r\n\r\n[-] Solution:\r\n\r\nApply the vendor workaround or define a more secure \u201cmedia_exclusion\u201d setting (PCRE value).\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[14/05/2014] - Vendor notified\r\n[15/05/2014] - Vendor response\r\n[16/05/2014] - Version 2.6.3 released: http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3\r\n[16/05/2014] - CVE number requested\r\n[19/05/2014] - CVE number assigned\r\n[21/05/2014] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2014-3782 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\r\n\r\n\r\n[-] Original Advisory:\r\n\r\nhttp://karmainsecurity.com/KIS-2014-06\r\n\r\n", "published": "2014-06-14T00:00:00", "modified": "2014-06-14T00:00:00", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30863", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-3782"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:52", "edition": 1, "viewCount": 14, "enchantments": {"score": {"value": 7.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-3782"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310802076"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126767"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13836"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-3782"]}, {"type": "zdt", "idList": ["1337DAY-ID-22286"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-3782"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310802076"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126767"]}]}, "exploitation": null, "vulnersScore": 7.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647552764}}

{"cve": [{"lastseen": "2022-03-23T13:00:54", "description": "Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension.", "cvss3": {}, "published": "2014-06-11T14:55:00", "type": "cve", "title": "CVE-2014-3782", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3782"], "modified": "2014-06-12T16:04:00", "cpe": ["cpe:/a:dotclear:dotclear:2.6.1", "cpe:/a:dotclear:dotclear:2.6", "cpe:/a:dotclear:dotclear:2.6.2"], "id": "CVE-2014-3782", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3782", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:dotclear:dotclear:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:dotclear:dotclear:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:dotclear:dotclear:2.6:rc:*:*:*:*:*:*", "cpe:2.3:a:dotclear:dotclear:2.6:-:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:20:53", "description": "", "published": "2014-05-22T00:00:00", "type": "packetstorm", "title": "Dotclear 2.6.2 Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3782"], "modified": "2014-05-22T00:00:00", "id": "PACKETSTORM:126767", "href": "https://packetstormsecurity.com/files/126767/Dotclear-2.6.2-Arbitrary-File-Upload.html", "sourceData": "`------------------------------------------------------------------------ \nDotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability \n------------------------------------------------------------------------ \n \n \n[-] Software Link: \n \nhttp://dotclear.org/ \n \n \n[-] Affected Versions: \n \nVersion 2.6.2 and probably prior versions. \n \n \n[-] Vulnerability Description: \n \nThe vulnerability exists because of the filemanager::isFileExclude() method not properly verifying the extension of \nuploaded files. This method just checks whether the uploaded file name matches the \u0093exclude_pattern\u0094 regular expression, \nwhich by default is set to \u0093/\\.php$/i\u0094. This could be exploited to execute arbitrary PHP code by uploading a file with \nmultiple extensions or other extensions (like .php5 or .phtml) which might be handled as PHP scripts. Successful \nexploitation of this vulnerability requires an account with permissions to manage media items. \n \n \n[-] Solution: \n \nApply the vendor workaround or define a more secure \u0093media_exclusion\u0094 setting (PCRE value). \n \n \n[-] Disclosure Timeline: \n \n[14/05/2014] - Vendor notified \n[15/05/2014] - Vendor response \n[16/05/2014] - Version 2.6.3 released: http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3 \n[16/05/2014] - CVE number requested \n[19/05/2014] - CVE number assigned \n[21/05/2014] - Public disclosure \n \n \n[-] CVE Reference: \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) \nhas assigned the name CVE-2014-3782 to this vulnerability. \n \n \n[-] Credits: \n \nVulnerability discovered by Egidio Romano. \n \n \n[-] Original Advisory: \n \nhttp://karmainsecurity.com/KIS-2014-06 \n \n \n`\n", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126767/KIS-2014-06.txt"}], "ubuntucve": [{"lastseen": "2021-11-22T21:51:37", "description": "Multiple incomplete blacklist vulnerabilities in the\nfilemanager::isFileExclude method in the Media Manager in Dotclear before\n2.6.3 allow remote authenticated users to execute arbitrary PHP code by\nuploading a file with a (1) double extension or (2) .php5, (3) .phtml, or\nsome other PHP file extension.", "cvss3": {}, "published": "2014-06-11T00:00:00", "type": "ubuntucve", "title": "CVE-2014-3782", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3782"], "modified": "2014-06-11T00:00:00", "id": "UB:CVE-2014-3782", "href": "https://ubuntu.com/security/CVE-2014-3782", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-01-10T19:04:14", "description": "Dotclear versions 2.6.2 and below suffer from a remote SQL injection, remote shell upload", "cvss3": {}, "published": "2014-05-25T00:00:00", "type": "zdt", "title": "Dotclear 2.6.2 Multiple Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-3781", "CVE-2014-3783", "CVE-2014-3782"], "modified": "2014-05-25T00:00:00", "id": "1337DAY-ID-22286", "href": "https://0day.today/exploit/description/22286", "sourceData": "Dotclear 2.6.2 SQL Injection Vulnerability\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 2.6.2 and probably prior versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in /admin/categories.php:\r\n\r\n70. # Update order\r\n71. if (!empty($_POST['save_order']) && !empty($_POST['categories_order'])) {\r\n72. $categories = json_decode($_POST['categories_order']);\r\n73. \r\n74. foreach ($categories as $category) {\r\n75. if (!empty($category->item_id)) {\r\n76. $core->blog->updCategoryPosition($category->item_id, $category->left, $category->right);\r\n77. }\r\n78. }\r\n79. \r\n80. dcPage::addSuccessNotice(__('Categories have been successfully reordered.'));\r\n81. http::redirect('categories.php');\r\n82. }\r\n\r\nUser input passed through the $_POST['categories_order'] parameter is not properly sanitized before being used in a\r\ncall to the dcBlog::updCategoryPosition() method at line 76. This could be exploited to conduct SQL injection attacks\r\nleveraging the UPDATE statement defined in the nestedTree::updatePosition() method. Successful exploitation of this\r\nvulnerability requires an account with the \u201cmanage categories\u201d permission.\r\n\r\n\r\n[-] Solution:\r\n\r\nUpdate to version 2.6.3.\r\n\r\n------------------------------------------------------------------------------------------\r\n\r\nDotclear versions 2.6.2 and below suffer from a remote shell upload vulnerability.\r\n\r\nThe vulnerability exists because of the filemanager::isFileExclude() method not properly verifying the extension of\r\nuploaded files. This method just checks whether the uploaded file name matches the \u201cexclude_pattern\u201d regular expression,\r\nwhich by default is set to \u201c/\\.php$/i\u201d. This could be exploited to execute arbitrary PHP code by uploading a file with\r\nmultiple extensions or other extensions (like .php5 or .phtml) which might be handled as PHP scripts. Successful\r\nexploitation of this vulnerability requires an account with permissions to manage media items.\r\n\r\n\r\n[-] Solution:\r\n\r\nApply the vendor workaround or define a more secure \u201cmedia_exclusion\u201d setting (PCRE value).\r\n\r\n------------------------------------------------------------------------------------------\r\n\r\nDotclear 2.6.2 Authentication Bypass Vulnerability\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the dcXmlRpc::setUser() method\r\n(inc/core/class.dc.xmlrpc.php):\r\n\r\n262. /* Internal methods\r\n263. --------------------------------------------------- */\r\n264. private function setUser($user_id,$pwd)\r\n265. {\r\n266. if ($this->core->auth->userID() == $user_id) {\r\n267. return true;\r\n268. }\r\n269. \r\n270. if ($this->core->auth->checkUser($user_id,$pwd) !== true) {\r\n271. throw new Exception('Login error');\r\n272. }\r\n273. \r\n274. return true;\r\n\r\nThe vulnerability exists because of the method not properly verifying\r\nthe provided password\r\nbefore being used in a call to the dcAuth::checkUser() method at line\r\n270. This could be exploited\r\nto bypass the authentication mechanism by sending an XML-RPC request\r\nwith a valid username and an\r\nempty password. Successful exploitation of this vulnerability requires\r\nthe XML-RPC interface to\r\nbe enabled (disabled by default).\r\n\r\n\r\n[-] Solution:\r\n\r\nUpdate to version 2.6.3.\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/22286", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-05-08T19:05:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3781", "CVE-2014-3783", "CVE-2014-3782"], "description": "This host is installed with Dotclear and is prone to multiple vulnerabilities.", "modified": "2020-05-06T00:00:00", "published": "2014-06-09T00:00:00", "id": "OPENVAS:1361412562310802076", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802076", "type": "openvas", "title": "Dotclear Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Dotclear Multiple Vulnerabilities\n#\n# Authors:\n# Veerendra G.G <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:dotclear:dotclear\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802076\");\n script_version(\"2020-05-06T07:10:15+0000\");\n script_cve_id(\"CVE-2014-3781\", \"CVE-2014-3782\", \"CVE-2014-3783\");\n script_bugtraq_id(67560, 67559, 67557);\n script_tag(name:\"cvss_base\", value:\"6.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 07:10:15 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-06-09 14:54:32 +0530 (Mon, 09 Jun 2014)\");\n script_name(\"Dotclear Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Dotclear and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request and try to bypass authentication.\");\n\n script_tag(name:\"insight\", value:\"- Flaw in due to 'dcXmlRpc::setUser()' method in 'class.dc.xmlrpc.php' fails\n to verify passwords before using it.\n\n - Flaw is due to is due to the '/admin/categories.php' script not properly\n sanitizing user-supplied input to the 'categories_order' POST parameter.\n\n - Flaw is due to is due to 'filemanager::isFileExclude()' method does not\n properly verify or sanitize user-uploaded files.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to bypass authentication\n mechanisms, inject or manipulate SQL queries in the back-end database and\n attacker can to execute uploaded script with the privileges of the web server.\");\n\n script_tag(name:\"affected\", value:\"DotClear version before 2.6.3\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 2.6.3 or later.\");\n\n script_xref(name:\"URL\", value:\"http://karmainsecurity.com/KIS-2014-05\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/532184\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_xref(name:\"URL\", value:\"http://dotclear.org\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nhttp_port = http_get_port(default:80);\n\nhost = http_host_name(port:http_port);\n\nforeach dir (make_list_unique(\"/\", \"/dotclear\", \"/cms\", \"/forum\", http_cgi_dirs(port:http_port)))\n{\n\n if(dir == \"/\") dir = \"\";\n\n dotc_res1 = http_get_cache(item:string(dir, \"/index.php\"), port:http_port);\n\n if(\">Dotclear<\" >< dotc_res1)\n {\n\n ## Possible usernames to bypass\n foreach username (make_list(\"admin\", \"administrator\", \"root\", \"dotclear\"))\n {\n post_data = string(\"<methodCall>\\r\\n\",\n \"<methodName>wp.getPostStatusList</methodName>\\r\\n\",\n \"<params>\\r\\n\",\n \"<param><value><i4>1</i4></value></param>\\r\\n\",\n \"<param><value><string>\", username, \"</string></value></param>\\r\\n\",\n \"<param><value><string></string></value></param>\\r\\n\",\n \"<param><value>\\r\\n\",\n \"</value></param>\\r\\n\",\n \"</params>\\r\\n\",\n \"</methodCall>\\r\\n\");\n\n post_data_len = strlen(post_data);\n dotc_path = dir + \"/index.php?xmlrpc/default\";\n\n dotc_req2 = 'POST ' + dotc_path + ' HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'Content-Type: application/x-www-form-urlencoded\\r\\n' +\n 'Cookie: livezilla=Tzo0OiJUZXN0IjowOnt9\\r\\n' +\n 'Content-Length: ' + post_data_len + '\\r\\n' +\n '\\r\\n' + post_data;\n dotc_res2 = http_keepalive_send_recv(port:http_port, data:dotc_req2, bodyonly:FALSE);\n\n if(\"<name>draft</name>\" >< dotc_res2 && \"<name>private</name>\" >< dotc_res2 &&\n \"<name>publish</name>\" >< dotc_res2 && \">Login error<\" >!< dotc_res2)\n {\n security_message(port:http_port);\n exit(0);\n }\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2021-06-08T18:45:19", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-06-14T00:00:00", "title": "Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-3946", "CVE-2014-3781", "CVE-2014-2575", "CVE-2014-3945", "CVE-2014-2987", "CVE-2014-2303", "CVE-2014-3414", "CVE-2014-3947", "CVE-2014-2554", "CVE-2014-3948", "CVE-2014-3944", "CVE-2014-3137", "CVE-2014-3740", "CVE-2013-2251", "CVE-2014-3877", "CVE-2014-3446", "CVE-2014-3943", "CVE-2014-3941", "CVE-2014-3210", "CVE-2014-1402", "CVE-2014-0228", "CVE-2014-3415", "CVE-2014-0130", "CVE-2014-2577", "CVE-2014-3875", "CVE-2014-3942", "CVE-2014-3783", "CVE-2013-7106", "CVE-2014-2233", "CVE-2014-2843", "CVE-2014-3447", "CVE-2013-7107", "CVE-2014-3749", "CVE-2014-0081", "CVE-2014-2232", "CVE-2014-1855", "CVE-2014-1878", "CVE-2014-2302", "CVE-2014-0082", "CVE-2014-3876", "CVE-2014-2553", "CVE-2014-3782", "CVE-2014-2386", "CVE-2014-3966", "CVE-2013-5954", "CVE-2014-0107", "CVE-2014-3448", "CVE-2013-7108", "CVE-2014-2988", "CVE-2014-3445", "CVE-2014-3949"], "modified": "2014-06-14T00:00:00", "id": "SECURITYVULNS:VULN:13836", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13836", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}