Latest YouTube Video
Saturday, November 14, 2015
[FD] dotclear 2.8.1: XSS
Security Advisory - Curesec Research Team 1. Introduction Affected Product: dotclear 2.8.1 Fixed in: 2.8.2 Fixed Version Link: http://ift.tt/1MdcPPc Vendor Website: http://dotclear.org/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description The Comment author name is echoed inside the value attribute of an input tag when viewing the list of all comments for that author. Quotes are not encoded, which allows for the addition of further attributes to the tag. The field is hidden, so onfocus or similar do not work, and the length of the name is limited, which makes an actual exploitation unlikely. Still, with older browser an attacker might try to inject a style attribute which may lead to XSS. 3. Proof of Concept 1. Create comment with author name " newattribute="value 2. Visit http://localhost/dotclear/admin/comments.php?n=30&status=&sortby=comment_dt&order=desc&author=%22+newattribute%3D%22value 3. The result will be:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment