Jump to content
Sign in to follow this  
OKQL

Dotclear 2.9.1 Shell Upload

Recommended Posts

Dotclear version 2.9.1 suffers from a remote shell upload vulnerability.

 

#############################################
Dotclear 2.9.1 Malicious File Upload Restriction Bypass
#############################################

[+] Software: https://dotclear.org/
[+] Author: Wiswat Aswamenakul
[+] Affected version: only tested on 2.9.1 (previous version might be
affected)
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9
[+] Description
Dotclear has a feature to upload files in Media Manager. However, by
default, there is a filtering to prevent authenticated users to upload
malicious files, such PHP code, to execute on the server. The default
filter is as following.
/\.(phps?|pht(ml)?|phl|s?html?|js)[0-9]*$/i (PCRE)
The above filter does not filter .htaccess file which allows
authenticated users to upload .htaccess file to the server which enable
PHP code execution on any file extension.


[+] Attack Reproduce

Note: in order for this exploit to work, it is required that apache
configuration allow the usage of .htaccess file on dotclear directory
(dotclear itself has .htaccess to restrict access to cache folder by
default)

1. Create htaccess file with following content
AddType application/x-httpd-php .xpl

2. Upload htaccess file through local proxy, such as burp suite, and
change file name to "..htaccess"

3. Create file "shell.xpl" with following content
<?php
phpinfo();
?>

4. Upload "shell.xpl" to dotclear

5. Open the uploaded shell.xpl

[+] Solution
Suggested solutions require re-design of Dotclear which might cause
significant time to implement. As a result, the author designed to
implement suggested interrim solution in Dotclear version 2.10 to fix this
vulnerability

[+] Timeline
- 12/07/2016 - Report vulnerability
- 12/07/2016 - Dotclear acknowledge the vulnerability
- 12/07/2016 - Fix is available in Dotclear trac
- 13/08/2016 - Dotclear 2.10 is avaible for download
- 24/08/2016 - Public Disclosure

Thank you Dotclear authors for swift response and taking security issues
importantly

 

Source

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...