Home / exploits Dotclear 2.9.1 Directory Download
Posted on 28 August 2016
###################################### Dotclear 2.9.1 Directory Download Vulnerability ###################################### [+] Software: https://dotclear.org/ [+] Author: Wiswat Aswamenakul [+] Affected version: only tested on 2.9.1 (previous version might be affected) [+] Platform: tested on Ubuntu 14.04, PHP 5.5.9 [+] Description Authenticated users with media manager access permission are allowed to download media directories in zip file format. The directory path to be zipped is not properly verified. As a result, it is possible for authenticated users with media manager access permission to download all directories readable by web server and located in the same traversal path as dotclear in zipped format. For example, if dotclear is located at /var/www/html/dotclear/ following directories can be downloaded if web server has read permission. - /var/ - /var/www/ - /var/www/html/ The authenticated users could have access to source code of dotclear, including config.php, and source code of other web application located under the same document root. [+] Attack Reproduce Following url will download source code of dotclear, including config.php which has username and password to connect database. http://example.com/dotclear/admin/media.php?popup=0&select=0&d=./../&zipdl=1 [+] Solution Dotclear has released version 2.10 to fix this vulnerability [+] Timeline - 11/07/2016 - Report vulnerability - 12/07/2016 - Dotclear acknowledge the vulnerability - 15/07/2016 - Fix is available in Dotclear trac - 13/08/2016 - Dotclear 2.10 is avaible for download - 24/08/2016 - Public Disclosure Thank you Dotclear authors for swift response and taking security issues importantly
