faut le mot de passe :)
On 8 July 2014 16:04, Dotclear (contact) <contact(a)dotclear.net> wrote:
L'archive qui détaille un peu tout :
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
2014-07-08 15:08 GMT+02:00 Dotclear (contact) <contact(a)dotclear.net>:
> Jour les gens,
>
> On a reçu ce matin un rapport au sujet d'une faille XSS (voir ci-dessous,
> le mot de passe de l'archive est JPCERT97966327) mais je n'arrive pas à
> reproduire la faille.
> Quelqu'un peut regarder ça de son côté ?
>
> Franck
>
> ---------- Forwarded message ----------
> From: JPCERT/CC <vuls(a)jpcert.or.jp>
> Date: 2014-07-08 4:36 GMT+02:00
> Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN:
> JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
> To: Dotclear Development Team <contact(a)dotclear.net>
>
>
> Hello xave @ the Dotclear Team,
>
> We have received a vulnerability report for one of your products:
>
> - Dotclear 2.6.3 vulnerable to cross-site scripting
>
> I have attached the details of the reported vulnerability to this email.
> The password for the zip file will be sent in a separate email.
> The original report was against version 2.6.2, but the issue was also
> verified to still exist in 2.6.3. Please see the report for more details.
>
> Please take a look at the report and return to us with the information
> such as;
> -validate the products, and whether the reported vulnerability is
> confirmed or not
> -solutions (e.g., patch or module update)
> -workarounds if any
> -estimated time for creation of fixes
> -preferable date for public release on your site
> *we will also publish an advisory for this issue on our vulnerability
> knowledge base, JVN,
http://jvn.jp,
http://jvn.jp/en/,
> synchronizing with your release schedule.
>
> **Caution**
> We have assigned the tracking number for this vulnerability issue;
> [VN: JVN#61637002 / TN: JPCERT#97966327]
> Please be sure to include these numbers in the subject line for
> future communication with us. We appreciate your cooperation on this.
>
> If you have any questions and concerns, please do not hesitate to
> contact us any time.
>
> Thank you in advance for your attention on this matter.
> We are looking forward to hearing from you.
>
> Sincerely yours,
>
> Takayuki Uchiyama
> JPCERT/CC Vulnerability Handling Team
>
> > Hello,
> >
> > Please be aware that Dotclear 2.6.2 is not the latest version: v2.6.3
> > was released in May to patch vulnerabilities found in 2.6.2 (listed at
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > )
> >
> > If the vulnerabilities you found are not the one listed and still
> > exist in 2.6.3, please send any information to security(a)dotclear.net
> > where you'll reach several members of the team (we do not use a GPG
> > key).
> >
> > xave, for the Dotclear Team.
> >
> >
> >
> > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <vuls(a)jpcert.or.jp> wrote:
> > > To whom it may concern,
> > >
> > > Hello. This is Noriko Takahashi from JPCERT/CC Vulnerability
> > > Handling Team. Please excuse the sudden contact.
> > >
> > > If you're not familiar with us or our activities, please
> > > check the following websites for more information.
> > >
> > >
http://www.jpcert.or.jp/english/
> > >
http://www.jpcert.or.jp/english/vh/project.html
> > >
>
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > >
http://jvn.jp/en/
> > >
> > > We have received a report of a vulnerability found in the
> > > product "Dotclear 2.6.2" from a researcher/user here in Japan
> > > under the vulnerability handling framework called "Information
> > > Security Early Warning Partnership" and the official announcement
> > > #235 "Software Vulnerability Related Information Handling
Measures"
> > > which were designed by Ministry of Economy, Trade and Industry
(METI),
> > > a Japanese cabinet.
> > >
> > > From the website
> > >
http://dotclear.org/contact
> > > we found this email address. We would like to coordinate with you
> > > to solve the reported vulnerability, and your cooperation would be
> > > greatly appreciated.
> > >
> > > Before we provide you the details of the reported vulnerability,
> > > we would like to know the appropriate point-of-contact person,
> > > or department/group/team to communicate in regards to this issue.
> > > It would be greatly appreciated if you could provide us the below
> > > information at your earliest convenience.
> > > -Name of the person/team who is in charge of such issues
> > > -Email address
> > > -PGP key if available
> > >
> > > Once we receive your reply and and point-of-contact information,
> > > we will then send you the original vulnerability report and the
> > > details either in a PGP encrypted message or in a password protected
> > > zip file.
> > >
> > > If you have any questions or concerns, please do not hesitate
> > > to contact us any time.
> > >
> > > Thank you in advance for your attention to this email.
> > > We would very much appreciate your prompt reply.
> > >
> > > Sincerely yours,
> > >
> > > Noriko Takahashi
> > > Leader of Vulnerability Handling Team
> > > Information Coordination Group
> ======================================================================
> JPCERT Coordination Center (JPCERT/CC)
> TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls(a)jpcert.or.jp
> PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 FC
>
https://www.jpcert.or.jp/english http://jvn.jp/en/ http://jvn.jp
>
>
>
> --
> Dotclear Team
>
--
Dotclear Team
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev