Home / os / linux

Dotclear 2.9.1 Shell Upload

Posted on 28 August 2016

############################################# Dotclear 2.9.1 Malicious File Upload Restriction Bypass ############################################# [+] Software: https://dotclear.org/ [+] Author: Wiswat Aswamenakul [+] Affected version: only tested on 2.9.1 (previous version might be affected) [+] Platform: tested on Ubuntu 14.04, PHP 5.5.9 [+] Description Dotclear has a feature to upload files in Media Manager. However, by default, there is a filtering to prevent authenticated users to upload malicious files, such PHP code, to execute on the server. The default filter is as following. /.(phps?|pht(ml)?|phl|s?html?|js)[0-9]*$/i (PCRE) The above filter does not filter .htaccess file which allows authenticated users to upload .htaccess file to the server which enable PHP code execution on any file extension. [+] Attack Reproduce Note: in order for this exploit to work, it is required that apache configuration allow the usage of .htaccess file on dotclear directory (dotclear itself has .htaccess to restrict access to cache folder by default) 1. Create htaccess file with following content AddType application/x-httpd-php .xpl 2. Upload htaccess file through local proxy, such as burp suite, and change file name to "..htaccess" 3. Create file "shell.xpl" with following content <?php phpinfo(); ?> 4. Upload "shell.xpl" to dotclear 5. Open the uploaded shell.xpl [+] Solution Suggested solutions require re-design of Dotclear which might cause significant time to implement. As a result, the author designed to implement suggested interrim solution in Dotclear version 2.10 to fix this vulnerability [+] Timeline - 12/07/2016 - Report vulnerability - 12/07/2016 - Dotclear acknowledge the vulnerability - 12/07/2016 - Fix is available in Dotclear trac - 13/08/2016 - Dotclear 2.10 is avaible for download - 24/08/2016 - Public Disclosure Thank you Dotclear authors for swift response and taking security issues importantly

 

TOP