| Vigilance Computer Vulnerability Alerts watches public vulnerabilities impacting your computers, describes security patches, and then alerts you to fix them. |
| Request your free trial |
|
 |
|
|
Synthesis of the vulnerability 
When swfupload.swf is installed with Dotclear, an attacker can use it to upload a PHP file, in order to execute PHP code on the web server.
Vulnerable systems: Dotclear.
Severity of this threat: 1/4.
Creation date: 28/02/2012.
Références of this weakness: BID-52173, CVE-2011-5083, VIGILANCE-VUL-11396.
Description of the vulnerability 
The source code of Dotclear contains three Flash applications: player_flv.swf, player_mp3.swf and swfupload.swf.
The swfupload.swf application comes from the SWFUpload library, which is composed of JavaScript/Flash. It is used to create a web interface to upload a file. However, SWFUpload does not limit the type of files which can be uploaded.
When swfupload.swf is installed with Dotclear, an attacker can therefore use it to upload a PHP file, in order to execute PHP code on the web server.
This vulnerability alert impacts software or systems such as Dotclear.
Our Vigilance Computer Vulnerability Alerts team determined that the severity of this computer weakness alert is low.
The trust level is of type confirmed by the editor, with an origin of internet client.
A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability.
Solutions for this threat 
Dotclear: workaround for swfupload.swf.
A workaround is to remove the file inc/swf/swfupload.swf.
Computer vulnerabilities alerting service 
The Vigilance Computer Vulnerability Alerts offer can be used to see fixes.
|