CVE-2011-1584

Current Description

The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the media_path or media_file parameter. NOTE: some of these details are obtained from third party information.

Basic Data

PublishedJune 08, 2011
Last ModifiedApril 27, 2012
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-264
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.5
SeverityMEDIUM
Exploitability Score8.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationDotclearDotclear1.2.1*******
    2.3ApplicationDotclearDotclear1.2.2*******
    2.3ApplicationDotclearDotclear1.2.3*******
    2.3ApplicationDotclearDotclear1.2.4*******
    2.3ApplicationDotclearDotclear1.2.5*******
    2.3ApplicationDotclearDotclear1.2.6*******
    2.3ApplicationDotclearDotclear1.2.7*******
    2.3ApplicationDotclearDotclear1.2.8*******
    2.3ApplicationDotclearDotclear2.0*******
    2.3ApplicationDotclearDotclear2.0beta_2******
    2.3ApplicationDotclearDotclear2.0beta_3******
    2.3ApplicationDotclearDotclear2.0beta_4******
    2.3ApplicationDotclearDotclear2.0beta_5.2******
    2.3ApplicationDotclearDotclear2.0beta_5.4******
    2.3ApplicationDotclearDotclear2.0beta_6******
    2.3ApplicationDotclearDotclear2.0beta_7******
    2.3ApplicationDotclearDotclear2.0rc1******
    2.3ApplicationDotclearDotclear2.0rc2******
    2.3ApplicationDotclearDotclear2.0.1*******
    2.3ApplicationDotclearDotclear2.0.2*******
    2.3ApplicationDotclearDotclear2.1*******
    2.3ApplicationDotclearDotclear2.1.1*******
    2.3ApplicationDotclearDotclear2.1.3*******
    2.3ApplicationDotclearDotclear2.1.4*******
    2.3ApplicationDotclearDotclear2.1.5*******
    2.3ApplicationDotclearDotclear2.1.6*******
    2.3ApplicationDotclearDotclear2.1.7*******
    2.3ApplicationDotclearDotclear2.2*******
    2.3ApplicationDotclearDotclear2.2.1*******
    2.3ApplicationDotclearDotclear********2.2.2

Vulnerable Software List

VendorProductVersions
Dotclear Dotclear *, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 2.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.2, 2.2.1

References

NameSourceURLTags
http://dev.dotclear.org/2.0/changeset/2:3427http://dev.dotclear.org/2.0/changeset/2:3427MISCExploit Patch
http://dotclear.org/blog/post/2011/04/01/Dotclear-2.2.3http://dotclear.org/blog/post/2011/04/01/Dotclear-2.2.3CONFIRMPatch Vendor Advisory
http://fr.dotclear.org/blog/post/2011/04/01/Dotclear-2.2.3http://fr.dotclear.org/blog/post/2011/04/01/Dotclear-2.2.3CONFIRMVendor Advisory
[oss-security] 20110413 CVE request: dotclear before 2.2.3http://openwall.com/lists/oss-security/2011/04/13/19MLIST
[oss-security] 20110414 Re: CVE request: dotclear before 2.2.3http://openwall.com/lists/oss-security/2011/04/14/8MLIST
[oss-security] 20110415 Re: CVE request: dotclear before 2.2.3http://openwall.com/lists/oss-security/2011/04/15/11MLIST
[oss-security] 20110415 Re: CVE request: dotclear before 2.2.3http://openwall.com/lists/oss-security/2011/04/15/7MLIST
44049http://secunia.com/advisories/44049SECUNIAVendor Advisory
http://www.arcabit.com/english/home/a-flaw-in-dotclearhttp://www.arcabit.com/english/home/a-flaw-in-dotclearMISC