Dotclear PHP Object Injection

A vulnerability in the Dotclear PHP-based blogging platform was identified which could be exploited in order to execute arbitrary PHP code.

Affected Versions
Confirmed in 2.6.1, possibly present in older versions
CVE Reference
Charlie Briggs
Medium Risk
Vendor Response
Fix Released


Dotclear is an open-source, PHP-based blogging platform. One of Dotclear’s features is to allow password-protected pages and posts. Due to a call to PHP’s unserialize() on user-supplied data, it is possible to inject arbitrary PHP objects into the dc_passwd cookie, which could lead to remote code execution.


Successful exploitation of this could lead to execution of arbitrary PHP code.


Since PHP allows for object serialisation, if an unserialize() call is made on user-supplied data, such as in GET/POST or cookie data, attackers could pass crafted serialised strings via one of these methods, resulting in the arbitrary PHP object being injected into the application scope.


The vendor recommends upgrading to Dotclear 2.6.2.

Technical Details

When a user accesses a password-protected post or page, a check is performed to see whether the user already has the post/page ID and respective password stored in serialised data in the dc_passwd cookie.

The vulnerable code can be found in /inc/public/lib.urlhandlers.php and again in /plugins/pages/_public.php

# Password protected entry
if ($post_password != '' && !$_ctx->preview)
	# Get passwords cookie
	if (isset($_COOKIE['dc_passwd'])) {
		$pwd_cookie = unserialize($_COOKIE['dc_passwd']);
	} else {
		$pwd_cookie = array();

Setting the dc_passwd cookie to a serialised object which references a class that is not loaded – for example, O:4:"Test":0:{} – causes the PHP error “Cannot use object of type __PHP_Incomplete_Class as array”, whereas a call to a valid loaded class (or one which supports autoloading) will call some of PHP’s “magic methods” and execute any code inside.

It is not currently known whether any pre-loaded classes will make this vulnerability exploitable out of the box, however due to the platform’s extensibility with plugins, it could lead to arbitrary code execution.

Detailed Timeline

Date Summary
2014/01/14 Initial discovery made
2014/01/20 Vendor notified
2014/01/20 Vendor acknowledges vulnerability and prepares fix
2014/01/20 Vendor releases patch and prepares release of 2.6.2
2014/01/20 Dotclear 2.6.2 released
2014/05/13 Public disclosure