DotClear Full Path Disclosure Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: DotClear Full Path Disclosure Vulnerability
From: raphael.huck@xxxxxxx
Date: 11 Feb 2007 23:20:18 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I have contacted the developers 2 weeks ago, still no answer...

Vendor: DotClear
Vulnerable: DotClear 1.2.5 and below
Release Date: 2007-01-28

Full Path Disclosure

This vulnerability affects:
http://www.example.com/dotclear/themes/default/form.php
http://www.example.com/dotclear/themes/default/list.php
http://www.example.com/dotclear/themes/default/post.php
http://www.example.com/dotclear/themes/default/template.php

When they are called, the scripts do not check that they have been called by 
another page of the blog, so when they are called directly, they disclose the 
full path of the webroot.

Fatal error: Call to a member function fetch() on a non-object in
/home/users/xxxx/dotclear/themes/xxx/list.php on line 34
        


Solution

Edit the code. 

Advisory

http://zone14.free.fr/advisories/8/

Follow-Ups:
- Re: DotClear Full Path Disclosure Vulnerability
  - From: Cedric Blancher

Prev by Date: Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
Next by Date: Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
Previous by thread: Re: Web Server Botnets and Server Farms as Attack Platforms
Next by thread: Re: DotClear Full Path Disclosure Vulnerability
Index(es):
- Date
- Thread