Dotclear PHP Object Injection

CVE-2014-1613

    Type

  • Dotclear PHP Object Injection

    • Severity

  • Medium

    • Affected products

  • Dotclear

    • Affected Versions

  • Confirmed in 2.6.1, possibly present in older versions

    • Vendor

  • Dotclear

    • Vendor Response

  • Fix Released

    • Authors

  • Charlie Briggs

    • CVE Reference

  • CVE-2014-1613
Read more
Timeline
2014-01-14Initial discovery made
2014-01-20Vendor notified
2014-01-20Vendor acknowledges vulnerability and prepares fix
2014-01-20Vendor releases patch and prepares release of 2.6.2
2014-01-20Dotclear 2.6.2 released
2014-05-13Public disclosure

A vulnerability in the Dotclear PHP-based blogging platform was identified which could be exploited in order to execute arbitrary PHP code.

Description

Dotclear is an open-source, PHP-based blogging platform. One of Dotclear’s features is to allow password-protected pages and posts. Due to a call to PHP’s unserialize() on user-supplied data, it is possible to inject arbitrary PHP objects into the dc_passwd cookie, which could lead to remote code execution.

Impact

Successful exploitation of this could lead to execution of arbitrary PHP code.

Cause

Since PHP allows for object serialisation, if an unserialize() call is made on user-supplied data, such as in GET/POST or cookie data, attackers could pass crafted serialised strings via one of these methods, resulting in the arbitrary PHP object being injected into the application scope.

Solution

The vendor recommends upgrading to Dotclear 2.6.2.

Technical Details

When a user accesses a password-protected post or page, a check is performed to see whether the user already has the post/page ID and respective password stored in serialised data in the dc_passwd cookie.

The vulnerable code can be found in /inc/public/lib.urlhandlers.php and again in /plugins/pages/_public.php

# Password protected entry

if ($post_password != '' && !$_ctx->preview)
{
# Get passwords cookie
if (isset($_COOKIE['dc_passwd'])) {
$pwd_cookie = unserialize($_COOKIE['dc_passwd']);
} else {
$pwd_cookie = array();
}
...
}

Setting the dc_passwd cookie to a serialised object which references a class that is not loaded – for example, O:4:"Test":0:{} – causes the PHP error “Cannot use object of type __PHP_Incomplete_Class as array”, whereas a call to a valid loaded class (or one which supports autoloading) will call some of PHP’s “magic methods” and execute any code inside.

It is not currently known whether any pre-loaded classes will make this vulnerability exploitable out of the box, however due to the platform’s extensibility with plugins, it could lead to arbitrary code execution.