CVE-2024-58281
📋 TL;DR
Dotclear 2.29 contains an authenticated remote code execution vulnerability where attackers with valid credentials can upload malicious PHP files through the media upload functionality. This allows execution of arbitrary system commands via a crafted PHP shell, potentially compromising the entire web server. All Dotclear 2.29 installations with authenticated user accounts are affected.
💻 Affected Systems
- Dotclear
📦 What is this software?
Dotclear by Dotclear
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, lateral movement to other systems, installation of persistent backdoors, and potential ransomware deployment.
Likely Case
Web server compromise allowing data exfiltration, defacement, and use as a foothold for further attacks within the network.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place, though authenticated users could still cause damage.
🎯 Exploit Status
Exploit requires authenticated access; public exploit code is available and easy to use.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.30 or later
Vendor Advisory: https://git.dotclear.org/explore/repos
Restart Required: No
Instructions:
1. Backup your Dotclear installation and database. 2. Download the latest version from the official repository. 3. Replace all files with the updated version. 4. Verify the version shows 2.30 or higher in the admin panel.
🔧 Temporary Workarounds
Restrict PHP file uploads
allConfigure web server to block PHP file execution in upload directories
For Apache: Add 'php_flag engine off' to .htaccess in upload directory
For Nginx: Add 'location ~ \.php$ { deny all; }' to upload directory config
Implement file type validation
allAdd server-side validation to reject PHP file uploads
Modify media upload handler to check file extensions and MIME types
🧯 If You Can't Patch
- Disable media upload functionality entirely for all users
- Implement strict access controls and monitor all authenticated user activity
🔍 How to Verify
Check if Vulnerable:
Check Dotclear version in admin panel or via 'cat ./inc/public/prepend.php | grep DC_VERSION'Check Version:
grep -r 'DC_VERSION' ./inc/public/prepend.phpVerify Fix Applied:
Confirm version is 2.30 or higher in admin panel and test that PHP files cannot be uploaded via media upload📡 Detection & Monitoring
Log Indicators:
- PHP file uploads via media endpoint
- Unusual POST requests to upload.php with PHP extensions
- Multiple failed upload attempts followed by successful PHP upload
Network Indicators:
- POST requests to /admin/media.php with PHP file content
- Subsequent requests to uploaded PHP files in media directories
SIEM Query:
source="web_logs" (uri_path="/admin/media.php" AND method="POST" AND file_extension="php")🔗 References
- https://git.dotclear.org/explore/repos
- https://github.com/dotclear/dotclear/archive/refs/heads/master.zip
- https://www.exploit-db.com/exploits/52037
- https://www.vulncheck.com/advisories/dotclear-remote-code-execution-via-authenticated-file-upload
- https://github.com/dotclear/dotclear/archive/refs/heads/master.zip
