[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Dotclear 2.9.1 SSRF/XSPA Vulnerability
From: gen type <gen0typ3.n () gmail ! com>
Date: 2016-08-24 9:32:52
Message-ID: CAET3BY-58PsTPPr3dOvyZ2x-bpkwBpMvodrDiM5cF5uiR7REiQ () mail ! gmail ! com
[Download RAW message or body]
#################################
Dotclear 2.9.1 SSRF/XSPA Vulnerability
#################################
[+] Software: https://dotclear.org/
[+] Author: Wiswat Aswamenakul
[+] Affected version: only tested on 2.9.1 (previous version might be
affected)
[+] Platform: tested on Ubuntu 14.04, PHP 5.5.9
[+] Description
Dotclear has a feature to import blog content through RSS feed.
Authenticated users could have access to this feature. The feature has no
restrict to access private network, such as, 10.0.0.1/8, 172.16.0.0/12,
192.168.0.0/16. This allows authenticated users to use RSS import to scan
port of internal network.
[+] Attack Reproduce
By putting "http://192.168.1.132:22/" in the RSS URL input field. The
response display error message saying " Status code line invalid:
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7" where my 192.168.1.132 has SSH
opened on port 22.
[+] Solution
Dotclear has released version 2.10 to fix this vulnerability
[+] Timeline
- 08/07/2016 - Report vulnerability
- 09/07/2016 - Dotclear acknowledge the vulnerability
- 17/07/2016 - Fix is available in Dotclear trac
- 13/08/2016 - Dotclear 2.10 is avaible for download
- 24/08/2016 - Public Disclosure
Thank you Dotclear authors for swift response and taking security issues
importantly
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic