######################################
Dotclear 2.9.1 Directory Download Vulnerability
######################################

[+] Software: https://dotclear.org/
[+] Author: Wiswat Aswamenakul
[+] Affected version: only tested on 2.9.1 (previous version might be
affected)
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9
[+] Description
Authenticated users with media manager access permission are allowed to
download media directories in zip file format. The directory path to be
zipped is not properly verified. As a result, it is possible for
authenticated users with media manager access permission to download all
directories readable by web server and located in the same traversal
path as dotclear in zipped format. For example, if dotclear is located
at /var/www/html/dotclear/ following directories can be downloaded if
web server has read permission.
- /var/
- /var/www/
- /var/www/html/
The authenticated users could have access to source code of dotclear,
including config.php, and source code of other web application located
under the same document root.


[+] Attack Reproduce

Following url will download source code of dotclear, including
config.php which has username and password to connect database.
http://example.com/dotclear/admin/media.php?popup=0&select=0&d=./../&zipdl=1

[+] Solution
Dotclear has released version 2.10 to fix this vulnerability

[+] Timeline
- 11/07/2016 - Report vulnerability
- 12/07/2016 - Dotclear acknowledge the vulnerability
- 15/07/2016 - Fix is available in Dotclear trac
- 13/08/2016 - Dotclear 2.10 is avaible for download
- 24/08/2016 - Public Disclosure

Thank you Dotclear authors for swift response and taking security issues
importantly