Vigil@nce: Dotclear, file upload via swfupload.swf
March 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When swfupload.swf is installed with Dotclear, an attacker can use
it to upload a PHP file, in order to execute PHP code on the web
server.
– Severity: 1/4
– Creation date: 28/02/2012
IMPACTED PRODUCTS
– Dotclear
DESCRIPTION OF THE VULNERABILITY
The source code of Dotclear contains three Flash applications:
player_flv.swf, player_mp3.swf and swfupload.swf.
The swfupload.swf application comes from the SWFUpload library,
which is composed of JavaScript/Flash. It is used to create a web
interface to upload a file. However, SWFUpload does not limit the
type of files which can be uploaded.
When swfupload.swf is installed with Dotclear, an attacker can
therefore use it to upload a PHP file, in order to execute PHP
code on the web server.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Dotclear-file-upload-via-swfupload-swf-11396