Dotclear PHP Object Injection
CVE-2014-1613
A vulnerability in the Dotclear PHP-based blogging platform was identified which could be exploited in order to execute arbitrary PHP code.
Description
Dotclear is an open-source, PHP-based blogging platform. One of Dotclear’s features is to allow password-protected pages and posts. Due to a call to PHP’s unserialize() on user-supplied data, it is possible to inject arbitrary PHP objects into the dc_passwd cookie, which could lead to remote code execution.
Impact
Successful exploitation of this could lead to execution of arbitrary PHP code.
Cause
Since PHP allows for object serialisation, if an unserialize() call is made on user-supplied data, such as in GET/POST or cookie data, attackers could pass crafted serialised strings via one of these methods, resulting in the arbitrary PHP object being injected into the application scope.
Solution
The vendor recommends upgrading to Dotclear 2.6.2.
Technical Details
When a user accesses a password-protected post or page, a check is performed to see whether the user already has the post/page ID and respective password stored in serialised data in the dc_passwd cookie.
The vulnerable code can be found in /inc/public/lib.urlhandlers.php and again in /plugins/pages/_public.php
# Password protected entry
if ($post_password != '' && !$_ctx->preview)
{
# Get passwords cookie
if (isset($_COOKIE['dc_passwd'])) {
$pwd_cookie = unserialize($_COOKIE['dc_passwd']);
} else {
$pwd_cookie = array();
}
...
}
Setting the dc_passwd cookie to a serialised object which references a class that is not loaded – for example, O:4:"Test":0:{} – causes the PHP error “Cannot use object of type __PHP_Incomplete_Class as array”, whereas a call to a valid loaded class (or one which supports autoloading) will call some of PHP’s “magic methods” and execute any code inside.
It is not currently known whether any pre-loaded classes will make this vulnerability exploitable out of the box, however due to the platform’s extensibility with plugins, it could lead to arbitrary code execution.