oss-sec mailing list archives

CVE-2016-7902: Dotclear <= 2.10.2 (Media Manager) Unrestricted File Upload

From: "Hongkun Zeng" <hongkun.zeng () dbappsecurity com cn>
Date: Wed, 5 Oct 2016 23:43:04 +0800 (GMT+08:00)

Vulnerability: Dotclear <= 2.10.2 (Media Manager) Unrestricted File Upload
CVE: CVE-2016-7902
Discovered by: Hongkun Zeng (http://www.dbappsecurity.com.cn/)


Dotclear is an open source blog publishing application distributed under the GNU GPLv2.


The fileUnzip->unzip() method not properly verifying the extension of files in zip archive.
This could be exploited to execute arbitrary PHP code by uploading a zip archive file contain the files which 
extensions (like .php.txt or .php%20).
Successful exploitation of this vulnerability requires an account with permissions to manage media items.


Fix commit: https://hg.dotclear.org/dotclear/rev/a9db771a5a70


Best Regards,
Hongkun Zeng
---------------------------------------------------
hongkun.zeng () dbappsecurity com cn

Current thread:

CVE-2016-7902: Dotclear <= 2.10.2 (Media Manager) Unrestricted File Upload Hongkun Zeng (Oct 05)