Ticket #2210 (closed defect: fixed)
Password Reset Address Spoof Vulnerability in Dotclear
Reported by: | Ambulong_DBAPP | Owned by: | team |
---|---|---|---|
Priority: | highest | Milestone: | 2.11 |
Component: | security | Version: | 2.10.2 |
Severity: | critical | Keywords: | Vulnerability |
Cc: |
Description
Hi, I find a security issue in Dotclear.
Dotclear use $_SERVERHTTP_HOST? to be a part of the password reset address.
The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g. if several domains are served by the same web server).
This can lead to phishing attacks because of the modification of the site's links. (A remote unauthenticated attacker can chenge the host in reset password address.)
File: /inc/libs/clearbricks/common/lib.http.php
public static function getHost() {
$server_name = explode(':',$_SERVERHTTP_HOST?); $server_name = $server_name[0]; if (self::$https_scheme_on_443 && $_SERVERSERVER_PORT? == '443') {
$scheme = 'https'; $port = ;
} elseif (!empty($_SERVERHTTPS?) && $_SERVERHTTPS? == 'on') {
$scheme = 'https'; $port = ($_SERVERSERVER_PORT? != '443') ? ':'.$_SERVERSERVER_PORT? : ;
} else {
$scheme = 'http'; $port = ($_SERVERSERVER_PORT? != '80') ? ':'.$_SERVERSERVER_PORT? : ;
}
return $scheme.':'.$server_name.$port;
}
Solution: Use the variable $_SERVERSERVER_NAME? instead of the variable $_SERVERHTTP_HOST? given that the server name is correctly defined or use an application specific constant.
Hongkun Zeng hongkun.zeng@…
(In [bb06343f4247]) Fix CVE-2016-7903: Dotclear <= 2.10.2 Password Reset Address Spoof / addresses #2210 — Thank's Hongkun Zeng for report