what you don't know can hurt you

Dotclear 2.6.2 Authentication Bypass

Dotclear 2.6.2 Authentication Bypass
Posted May 22, 2014
Authored by EgiX | Site karmainsecurity.com

Dotclear versions 2.6.2 and below suffer from an XML-RPC interface authentication bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2014-3781
MD5 | 930391070853eeb2107de12ceeab82f8

Dotclear 2.6.2 Authentication Bypass

Change Mirror Download
-------------------------------------------------------------------------
Dotclear <= 2.6.2 (XML-RPC Interface) Authentication Bypass Vulnerability
-------------------------------------------------------------------------


[-] Software Link:

http://dotclear.org/


[-] Affected Versions:

Version 2.6.2 and probably prior versions.


[-] Vulnerability Description:

The vulnerable code is located in the dcXmlRpc::setUser() method
(inc/core/class.dc.xmlrpc.php):

262. /* Internal methods
263. --------------------------------------------------- */
264. private function setUser($user_id,$pwd)
265. {
266. if ($this->core->auth->userID() == $user_id) {
267. return true;
268. }
269.
270. if ($this->core->auth->checkUser($user_id,$pwd) !== true) {
271. throw new Exception('Login error');
272. }
273.
274. return true;

The vulnerability exists because of the method not properly verifying
the provided password
before being used in a call to the dcAuth::checkUser() method at line
270. This could be exploited
to bypass the authentication mechanism by sending an XML-RPC request
with a valid username and an
empty password. Successful exploitation of this vulnerability requires
the XML-RPC interface to
be enabled (disabled by default).


[-] Solution:

Update to version 2.6.3.


[-] Disclosure Timeline:

[14/05/2014] - Vendor notified
[15/05/2014] - Vendor response
[16/05/2014] - Version 2.6.3 released:
http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3
[16/05/2014] - CVE number requested
[19/05/2014] - CVE number assigned
[21/05/2014] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-3781 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2014-05


Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    25 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close