dotclear 2.8.1 Cross Site Scripting

2015.11.16
Credit: Curesec
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Security Advisory - Curesec Research Team 1. Introduction Affected Product: dotclear 2.8.1 Fixed in: 2.8.2 Fixed Version Link: http://download.dotclear.org/latest.zip Vendor Website: http://dotclear.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description The Comment author name is echoed inside the value attribute of an input tag when viewing the list of all comments for that author. Quotes are not encoded, which allows for the addition of further attributes to the tag. The field is hidden, so onfocus or similar do not work, and the length of the name is limited, which makes an actual exploitation unlikely. Still, with older browser an attacker might try to inject a style attribute which may lead to XSS. 3. Proof of Concept 1. Create comment with author name " newattribute="value 2. Visit http://localhost/dotclear/admin/comments.php?n=30&status=&sortby=comment_dt&order=desc&author=%22+newattribute%3D%22value 3. The result will be: <input type="hidden" name="author" value="" newattribute="value" /> 4. Solution To mitigate this issue please upgrade at least to version 2.8.2: http://download.dotclear.org/latest.zip Please note that a newer version might already be available. 5. Report Timeline 10/02/2015 Informed Vendor 10/25/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/dotclear-281-XSS-94.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top