note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
moi je vois en clair dans le source:
<input type="submit" value="ok" /></p><input
type="hidden" name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a" /><input
type="hidden" name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input type="hidden"
name="qtype" value="p" /></div></form><form
action="/blog/admin/search.php" method="get"><div
class="pager"><ul><li class="first no-link btn"><img
src="images/pagination/no-first.png" alt="Première
page"/></li><li class="prev no-link btn"><img
src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li class="active"><strong>Page 1 /
16</strong></li><li class="next btn"><a
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
src="images/pagination/next.png" alt="Page
suivante"/></a><span class="hidden">Page
suivante</span></li><li class="last btn"><a
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
src="images/pagination/last.png" alt="Dernière
page"/></a><span class="hidden">Dernière
page</span></li><li class="direct-access">Aller à la page :
<input type="text" size="3" name="page"
maxlength="10" /><input type="submit" value="ok"
class="reset" name="ok" /><input type="hidden"
name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input type="hidden"
name="qtype" value="p"
/></li></ul></div></form><div id="help"><hr
/><div class="help-content clear"><h3>Aide pour cette
page</h3>
(cherche "xd_check")
après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais je vois
quand même bien qu'on échappe pas l'entrée utilisateur alors qu'on le
devrait.
On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> Re,
>
>
> 2014-07-08 17:28 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
>
> > Apparemment c'est un problème côté firefox, pas Dotclear. les chaînes
> sont
> > à priori bien échappées à la recherche et à l'affichage.
> >
> > Et oui Franck, sinon le problème existerait quel que soit le navigateur.
>
>
>
> >
> > 2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
> >
> > > Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et
> > 2.7-dev
> > > --
> > > Philippe
> > >
> > >
> > > 2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
> > > > Je reproduis aussi mais uniquement avec le panda bleu ! :-)
> > > >
> > > >
> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> > > >
> > > >> je reproduis sur mon blog (mais qui a pas la dernière version)
> > > >>
> > > >>
> > > >> On 8 July 2014 16:26, Franck Paul
<carnet.franck.paul(a)gmail.com>
> > wrote:
> > > >>
> > > >> > JPCERT97966327
> > > >> >
> > > >> >
> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
> > > >> >
> > > >> > > faut le mot de passe :)
> > > >> > >
> > > >> > >
> > > >> > > On 8 July 2014 16:04, Dotclear (contact)
<contact(a)dotclear.net
> >
> > > wrote:
> > > >> > >
> > > >> > > > L'archive qui détaille un peu tout :
> > > >> > > >
> >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> > > >> > > >
> > > >> > > >
> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <
> > > contact(a)dotclear.net
> > > >> >:
> > > >> > > >
> > > >> > > > > Jour les gens,
> > > >> > > > >
> > > >> > > > > On a reçu ce matin un rapport au sujet
d'une faille XSS
> (voir
> > > >> > > ci-dessous,
> > > >> > > > > le mot de passe de l'archive est
JPCERT97966327) mais je
> > > n'arrive
> > > >> > pas à
> > > >> > > > > reproduire la faille.
> > > >> > > > > Quelqu'un peut regarder ça de son côté ?
> > > >> > > > >
> > > >> > > > > Franck
> > > >> > > > >
> > > >> > > > > ---------- Forwarded message ----------
> > > >> > > > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00
> > > >> > > > > Subject: Re: Inquiry on vulnerability found in
Dotclear
> 2.6.3
> > > VN:
> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> > > >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > Hello xave @ the Dotclear Team,
> > > >> > > > >
> > > >> > > > > We have received a vulnerability report for
one of your
> > > products:
> > > >> > > > >
> > > >> > > > > - Dotclear 2.6.3 vulnerable to cross-site
scripting
> > > >> > > > >
> > > >> > > > > I have attached the details of the reported
vulnerability
> to
> > > this
> > > >> > > email.
> > > >> > > > > The password for the zip file will be sent in
a separate
> > email.
> > > >> > > > > The original report was against version 2.6.2,
but the
> issue
> > was
> > > >> also
> > > >> > > > > verified to still exist in 2.6.3. Please see
the report for
> > more
> > > >> > > details.
> > > >> > > > >
> > > >> > > > > Please take a look at the report and return to
us with the
> > > >> > information
> > > >> > > > > such as;
> > > >> > > > > -validate the products, and whether the
reported
> > vulnerability
> > > is
> > > >> > > > > confirmed or not
> > > >> > > > > -solutions (e.g., patch or module update)
> > > >> > > > > -workarounds if any
> > > >> > > > > -estimated time for creation of fixes
> > > >> > > > > -preferable date for public release on your
site
> > > >> > > > > *we will also publish an advisory for this
issue on our
> > > >> > vulnerability
> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
http://jvn.jp/en/,
> > > >> > > > > synchronizing with your release schedule.
> > > >> > > > >
> > > >> > > > > **Caution**
> > > >> > > > > We have assigned the tracking number for
this
> vulnerability
> > > >> issue;
> > > >> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327]
> > > >> > > > > Please be sure to include these numbers in
the subject
> line
> > > for
> > > >> > > > > future communication with us. We appreciate
your
> > cooperation
> > > on
> > > >> > > this.
> > > >> > > > >
> > > >> > > > > If you have any questions and concerns, please
do not
> hesitate
> > > to
> > > >> > > > > contact us any time.
> > > >> > > > >
> > > >> > > > > Thank you in advance for your attention on
this matter.
> > > >> > > > > We are looking forward to hearing from you.
> > > >> > > > >
> > > >> > > > > Sincerely yours,
> > > >> > > > >
> > > >> > > > > Takayuki Uchiyama
> > > >> > > > > JPCERT/CC Vulnerability Handling Team
> > > >> > > > >
> > > >> > > > > > Hello,
> > > >> > > > > >
> > > >> > > > > > Please be aware that Dotclear 2.6.2 is
not the latest
> > version:
> > > >> > v2.6.3
> > > >> > > > > > was released in May to patch
vulnerabilities found in
> 2.6.2
> > > >> (listed
> > > >> > > at
> > > >> > > > > >
> > > >> > > > >
> > > >> > > >
> > > >> > >
> > > >> >
> > > >>
> > >
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > > >> > > > > > )
> > > >> > > > > >
> > > >> > > > > > If the vulnerabilities you found are not
the one listed
> and
> > > still
> > > >> > > > > > exist in 2.6.3, please send any
information to
> > > >> > security(a)dotclear.net
> > > >> > > > > > where you'll reach several members of
the team (we do not
> > use
> > > a
> > > >> GPG
> > > >> > > > > > key).
> > > >> > > > > >
> > > >> > > > > > xave, for the Dotclear Team.
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM,
JPCERT/CC <
> > vuls(a)jpcert.or.jp
> > > >
> > > >> > > wrote:
> > > >> > > > > > > To whom it may concern,
> > > >> > > > > > >
> > > >> > > > > > > Hello. This is Noriko Takahashi
from JPCERT/CC
> > > Vulnerability
> > > >> > > > > > > Handling Team. Please excuse the
sudden contact.
> > > >> > > > > > >
> > > >> > > > > > > If you're not familiar with us
or our activities,
> please
> > > >> > > > > > > check the following websites for
more information.
> > > >> > > > > > >
> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> > > >> > > > > > >
> > > >> > > > >
> > > >> >
> > >
>
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > > >> > > > > > >
http://jvn.jp/en/
> > > >> > > > > > >
> > > >> > > > > > > We have received a report of a
vulnerability found in
> the
> > > >> > > > > > > product "Dotclear 2.6.2"
from a researcher/user here in
> > > Japan
> > > >> > > > > > > under the vulnerability handling
framework called
> > > "Information
> > > >> > > > > > > Security Early Warning
Partnership" and the official
> > > >> announcement
> > > >> > > > > > > #235 "Software Vulnerability
Related Information
> Handling
> > > >> > Measures"
> > > >> > > > > > > which were designed by Ministry of
Economy, Trade and
> > > Industry
> > > >> > > > (METI),
> > > >> > > > > > > a Japanese cabinet.
> > > >> > > > > > >
> > > >> > > > > > > From the website
> > > >> > > > > > >
http://dotclear.org/contact
> > > >> > > > > > > we found this email address. We
would like to
> coordinate
> > > with
> > > >> you
> > > >> > > > > > > to solve the reported vulnerability,
and your
> cooperation
> > > would
> > > >> > be
> > > >> > > > > > > greatly appreciated.
> > > >> > > > > > >
> > > >> > > > > > > Before we provide you the details of
the reported
> > > >> vulnerability,
> > > >> > > > > > > we would like to know the
appropriate point-of-contact
> > > person,
> > > >> > > > > > > or department/group/team to
communicate in regards to
> this
> > > >> issue.
> > > >> > > > > > > It would be greatly appreciated if
you could provide us
> > the
> > > >> below
> > > >> > > > > > > information at your earliest
convenience.
> > > >> > > > > > > -Name of the person/team who is in
charge of such
> issues
> > > >> > > > > > > -Email address
> > > >> > > > > > > -PGP key if available
> > > >> > > > > > >
> > > >> > > > > > > Once we receive your reply and and
point-of-contact
> > > >> information,
> > > >> > > > > > > we will then send you the original
vulnerability report
> > and
> > > the
> > > >> > > > > > > details either in a PGP encrypted
message or in a
> password
> > > >> > > protected
> > > >> > > > > > > zip file.
> > > >> > > > > > >
> > > >> > > > > > > If you have any questions or
concerns, please do not
> > > hesitate
> > > >> > > > > > > to contact us any time.
> > > >> > > > > > >
> > > >> > > > > > > Thank you in advance for your
attention to this email.
> > > >> > > > > > > We would very much appreciate your
prompt reply.
> > > >> > > > > > >
> > > >> > > > > > > Sincerely yours,
> > > >> > > > > > >
> > > >> > > > > > > Noriko Takahashi
> > > >> > > > > > > Leader of Vulnerability Handling
Team
> > > >> > > > > > > Information Coordination Group
> > > >> > > > >
> > > >> >
> > ======================================================================
> > > >> > > > > JPCERT Coordination Center (JPCERT/CC)
> > > >> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
EMAIL:
> > > >> vuls(a)jpcert.or.jp
> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29
63 89 52 D4
> F8
> > 8D
> > > 50
> > > >> FC
> > > >> > > > >
https://www.jpcert.or.jp/english
http://jvn.jp/en/
> > > >> >
http://jvn.jp
> > > >> > > > >
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > --
> > > >> > > > > Dotclear Team
> > > >> > > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > --
> > > >> > > > Dotclear Team
> > > >> > > > --
> > > >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > > >> > > >
http://ml.dotclear.org/listinfo/dev
> > > >> > > >
> > > >> > > --
> > > >> > > Dev mailing list - Dev(a)list.dotclear.org -
> > > >> > >
http://ml.dotclear.org/listinfo/dev
> > > >> > >
> > > >> >
> > > >> >
> > > >> >
> > > >> > --
> > > >> > Franck
> > > >> > --
> > > >> > Dev mailing list - Dev(a)list.dotclear.org -
> > > >> >
http://ml.dotclear.org/listinfo/dev
> > > >> >
> > > >> --
> > > >> Dev mailing list - Dev(a)list.dotclear.org -
> > > >>
http://ml.dotclear.org/listinfo/dev
> > > >>
> > > > --
> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > >
http://ml.dotclear.org/listinfo/dev
> > > --
> > > Dev mailing list - Dev(a)list.dotclear.org -
> > >
http://ml.dotclear.org/listinfo/dev
> > >
> >
> >
> >
> > --
> > Franck
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> >
http://ml.dotclear.org/listinfo/dev
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
>
http://ml.dotclear.org/listinfo/dev
>