Jour les gens,
On a reçu ce matin un rapport au sujet d'une faille XSS (voir ci-dessous,
le mot de passe de l'archive est JPCERT97966327) mais je n'arrive pas à
reproduire la faille.
Quelqu'un peut regarder ça de son côté ?
Franck
---------- Forwarded message ----------
From: JPCERT/CC <vuls(a)jpcert.or.jp>
Date: 2014-07-08 4:36 GMT+02:00
Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN:
JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
To: Dotclear Development Team <contact(a)dotclear.net>
Hello xave @ the Dotclear Team,
We have received a vulnerability report for one of your products:
- Dotclear 2.6.3 vulnerable to cross-site scripting
I have attached the details of the reported vulnerability to this email.
The password for the zip file will be sent in a separate email.
The original report was against version 2.6.2, but the issue was also
verified to still exist in 2.6.3. Please see the report for more details.
Please take a look at the report and return to us with the information
such as;
-validate the products, and whether the reported vulnerability is
confirmed or not
-solutions (e.g., patch or module update)
-workarounds if any
-estimated time for creation of fixes
-preferable date for public release on your site
*we will also publish an advisory for this issue on our vulnerability
knowledge base, JVN,
http://jvn.jp,
http://jvn.jp/en/,
synchronizing with your release schedule.
**Caution**
We have assigned the tracking number for this vulnerability issue;
[VN: JVN#61637002 / TN: JPCERT#97966327]
Please be sure to include these numbers in the subject line for
future communication with us. We appreciate your cooperation on this.
If you have any questions and concerns, please do not hesitate to
contact us any time.
Thank you in advance for your attention on this matter.
We are looking forward to hearing from you.
Sincerely yours,
Takayuki Uchiyama
JPCERT/CC Vulnerability Handling Team
> Hello,
>
> Please be aware that Dotclear 2.6.2 is not the latest version: v2.6.3
> was released in May to patch vulnerabilities found in 2.6.2 (listed at
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> )
>
> If the vulnerabilities you found are not the one listed and still
> exist in 2.6.3, please send any information to security(a)dotclear.net
> where you'll reach several members of the team (we do not use a GPG
> key).
>
> xave, for the Dotclear Team.
>
>
>
> On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <vuls(a)jpcert.or.jp> wrote:
> > To whom it may concern,
> >
> > Hello. This is Noriko Takahashi from JPCERT/CC Vulnerability
> > Handling Team. Please excuse the sudden contact.
> >
> > If you're not familiar with us or our activities, please
> > check the following websites for more information.
> >
> >
http://www.jpcert.or.jp/english/
> >
http://www.jpcert.or.jp/english/vh/project.html
> >
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> >
http://jvn.jp/en/
> >
> > We have received a report of a vulnerability found in the
> > product "Dotclear 2.6.2" from a researcher/user here in Japan
> > under the vulnerability handling framework called "Information
> > Security Early Warning Partnership" and the official announcement
> > #235 "Software Vulnerability Related Information Handling Measures"
> > which were designed by Ministry of Economy, Trade and Industry (METI),
> > a Japanese cabinet.
> >
> > From the website
> >
http://dotclear.org/contact
> > we found this email address. We would like to coordinate with you
> > to solve the reported vulnerability, and your cooperation would be
> > greatly appreciated.
> >
> > Before we provide you the details of the reported vulnerability,
> > we would like to know the appropriate point-of-contact person,
> > or department/group/team to communicate in regards to this issue.
> > It would be greatly appreciated if you could provide us the below
> > information at your earliest convenience.
> > -Name of the person/team who is in charge of such issues
> > -Email address
> > -PGP key if available
> >
> > Once we receive your reply and and point-of-contact information,
> > we will then send you the original vulnerability report and the
> > details either in a PGP encrypted message or in a password protected
> > zip file.
> >
> > If you have any questions or concerns, please do not hesitate
> > to contact us any time.
> >
> > Thank you in advance for your attention to this email.
> > We would very much appreciate your prompt reply.
> >
> > Sincerely yours,
> >
> > Noriko Takahashi
> > Leader of Vulnerability Handling Team
> > Information Coordination Group
======================================================================
JPCERT Coordination Center (JPCERT/CC)
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls(a)jpcert.or.jp
PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 FC
https://www.jpcert.or.jp/english http://jvn.jp/en/ http://jvn.jp
--
Dotclear Team