dotclear 2.8.1: XSS
Date: 2015-11-13 11:38:151. Introduction
| Affected Product: | dotclear 2.8.1 |
| Fixed in: | 2.8.2 |
| Fixed Version Link: | http://download.dotclear.org/latest.zip |
| Vendor Website: | http://dotclear.org/ |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 10/02/2015 |
| Disclosed to public: | 11/13/2015 |
| Release mode: | Coordinated release |
| CVE: | CVE-2015-8831 |
| Credits | Tim Coen of curesec GmbH |
2. Overview
CVSS
Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description
The Comment author name is echoed inside the value attribute of an input tag when viewing the list of all comments for that author. Quotes are not encoded, which allows for the addition of further attributes to the tag.
The field is hidden, so onfocus or similar do not work, and the length of the name is limited, which makes an actual exploitation unlikely. Still, with older browser an attacker might try to inject a style attribute which may lead to XSS.
3. Proof of Concept
1. Create comment with author name
" newattribute="value
2. Visit
http://localhost/dotclear/admin/comments.php?n=30&status=&sortby=comment_dt&order=desc&author=%22+newattribute%3D%22value
3. The result will be:
<input type="hidden" name="author" value="" newattribute="value" />
4. Solution
To mitigate this issue please upgrade at least to version 2.8.2:
http://download.dotclear.org/latest.zip
Please note that a newer version might already be available.
5. Report Timeline
| 10/02/2015 | Informed Vendor |
| 10/25/2015 | Vendor releases fix |
| 11/13/2015 | Disclosed to public |