Dotclear <= 2.6.2 (XML-RPC Interface) Authentication Bypass Vulnerability
• Software Link:
• Affected Versions:
Version 2.6.2 and probably prior versions.
• Vulnerability Description:
The vulnerable code is located in the dcXmlRpc::setUser() method (inc/core/class.dc.xmlrpc.php):
private function setUser($user_id,$pwd) { if ($this->core->auth->userID() == $user_id) { return true; } if ($this->core->auth->checkUser($user_id,$pwd) !== true) { throw new Exception('Login error'); } return true; }
The vulnerability exists because of the method not properly verifying the provided password before being used in a call to the dcAuth::checkUser() method at line 270. This could be exploited to bypass the authentication mechanism by sending an XML-RPC request with a valid username and an empty password. Successful exploitation of this vulnerability requires the XML-RPC interface to be enabled (disabled by default).
• Solution:
Update to version 2.6.3.
• Disclosure Timeline:
[14/05/2014] – Vendor notified
[15/05/2014] – Vendor response
[16/05/2014] – Version 2.6.3 released: http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3
[16/05/2014] – CVE number requested
[19/05/2014] – CVE number assigned
[21/05/2014] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-3781 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.