Dotclear

Ticket #2210 (closed defect: fixed)

Opened 9 years ago

Last modified 9 years ago

Password Reset Address Spoof Vulnerability in Dotclear

Reported by: Ambulong_DBAPP Owned by: team
Priority: highest Milestone: 2.11
Component: security Version: 2.10.2
Severity: critical Keywords: Vulnerability
Cc:

Description

Hi, I find a security issue in Dotclear.

Dotclear use $_SERVERHTTP_HOST? to be a part of the password reset address.

The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g. if several domains are served by the same web server).

This can lead to phishing attacks because of the modification of the site's links. (A remote unauthenticated attacker can chenge the host in reset password address.)

File: /inc/libs/clearbricks/common/lib.http.php

public static function getHost() {

$server_name = explode(':',$_SERVERHTTP_HOST?); $server_name = $server_name[0]; if (self::$https_scheme_on_443 && $_SERVERSERVER_PORT? == '443') {

$scheme = 'https'; $port = ;

} elseif (!empty($_SERVERHTTPS?) && $_SERVERHTTPS? == 'on') {

$scheme = 'https'; $port = ($_SERVERSERVER_PORT? != '443') ? ':'.$_SERVERSERVER_PORT? : ;

} else {

$scheme = 'http'; $port = ($_SERVERSERVER_PORT? != '80') ? ':'.$_SERVERSERVER_PORT? : ;

}

return $scheme.':'.$server_name.$port;

}

Solution: Use the variable $_SERVERSERVER_NAME? instead of the variable $_SERVERHTTP_HOST? given that the server name is correctly defined or use an application specific constant.

Hongkun Zeng hongkun.zeng@…

Change History

comment:1 Changed 9 years ago by franck <carnet.franck.paul@…>

(In [bb06343f4247]) Fix CVE-2016-7903: Dotclear <= 2.10.2 Password Reset Address Spoof / addresses #2210 — Thank's Hongkun Zeng for report

comment:2 Changed 9 years ago by franck

  • Status changed from new to closed
  • Resolution set to fixed
  • Milestone changed from A definir to 2.11
Note: See TracTickets for help on using tickets.

Sites map