Re,
2014-07-08 17:28 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
Apparemment c'est un problème côté firefox, pas Dotclear. les
chaînes sont
à priori bien échappées à la recherche et à l'affichage.
Et oui Franck, sinon le problème existerait quel que soit le navigateur.
2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
> Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et
2.7-dev
> --
> Philippe
>
>
> 2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
> > Je reproduis aussi mais uniquement avec le panda bleu ! :-)
> >
> >
> > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> >
> >> je reproduis sur mon blog (mais qui a pas la dernière version)
> >>
> >>
> >> On 8 July 2014 16:26, Franck Paul <carnet.franck.paul(a)gmail.com>
wrote:
> >>
> >> > JPCERT97966327
> >> >
> >> >
> >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> >> >
> >> > > faut le mot de passe :)
> >> > >
> >> > >
> >> > > On 8 July 2014 16:04, Dotclear (contact)
<contact(a)dotclear.net>
> wrote:
> >> > >
> >> > > > L'archive qui détaille un peu tout :
> >> > > >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> >> > > >
> >> > > >
> >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <
> contact(a)dotclear.net
> >> >:
> >> > > >
> >> > > > > Jour les gens,
> >> > > > >
> >> > > > > On a reçu ce matin un rapport au sujet d'une faille
XSS (voir
> >> > > ci-dessous,
> >> > > > > le mot de passe de l'archive est JPCERT97966327)
mais je
> n'arrive
> >> > pas à
> >> > > > > reproduire la faille.
> >> > > > > Quelqu'un peut regarder ça de son côté ?
> >> > > > >
> >> > > > > Franck
> >> > > > >
> >> > > > > ---------- Forwarded message ----------
> >> > > > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> >> > > > > Date: 2014-07-08 4:36 GMT+02:00
> >> > > > > Subject: Re: Inquiry on vulnerability found in Dotclear
2.6.3
> VN:
> >> > > > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
> >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
> >> > > > >
> >> > > > >
> >> > > > > Hello xave @ the Dotclear Team,
> >> > > > >
> >> > > > > We have received a vulnerability report for one of
your
> products:
> >> > > > >
> >> > > > > - Dotclear 2.6.3 vulnerable to cross-site scripting
> >> > > > >
> >> > > > > I have attached the details of the reported
vulnerability to
> this
> >> > > email.
> >> > > > > The password for the zip file will be sent in a
separate
email.
> >> > > > > The original report was against version 2.6.2, but the
issue
was
> >> also
> >> > > > > verified to still exist in 2.6.3. Please see the report
for
more
> >> > > details.
> >> > > > >
> >> > > > > Please take a look at the report and return to us with
the
> >> > information
> >> > > > > such as;
> >> > > > > -validate the products, and whether the reported
vulnerability
> is
> >> > > > > confirmed or not
> >> > > > > -solutions (e.g., patch or module update)
> >> > > > > -workarounds if any
> >> > > > > -estimated time for creation of fixes
> >> > > > > -preferable date for public release on your site
> >> > > > > *we will also publish an advisory for this issue on
our
> >> > vulnerability
> >> > > > > knowledge base, JVN,
http://jvn.jp,
http://jvn.jp/en/,
> >> > > > > synchronizing with your release schedule.
> >> > > > >
> >> > > > > **Caution**
> >> > > > > We have assigned the tracking number for this
vulnerability
> >> issue;
> >> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327]
> >> > > > > Please be sure to include these numbers in the
subject line
> for
> >> > > > > future communication with us. We appreciate your
cooperation
> on
> >> > > this.
> >> > > > >
> >> > > > > If you have any questions and concerns, please do not
hesitate
> to
> >> > > > > contact us any time.
> >> > > > >
> >> > > > > Thank you in advance for your attention on this
matter.
> >> > > > > We are looking forward to hearing from you.
> >> > > > >
> >> > > > > Sincerely yours,
> >> > > > >
> >> > > > > Takayuki Uchiyama
> >> > > > > JPCERT/CC Vulnerability Handling Team
> >> > > > >
> >> > > > > > Hello,
> >> > > > > >
> >> > > > > > Please be aware that Dotclear 2.6.2 is not the
latest
version:
> >> > v2.6.3
> >> > > > > > was released in May to patch vulnerabilities found
in 2.6.2
> >> (listed
> >> > > at
> >> > > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> >> > > > > > )
> >> > > > > >
> >> > > > > > If the vulnerabilities you found are not the one
listed and
> still
> >> > > > > > exist in 2.6.3, please send any information to
> >> > security(a)dotclear.net
> >> > > > > > where you'll reach several members of the team
(we do not
use
> a
> >> GPG
> >> > > > > > key).
> >> > > > > >
> >> > > > > > xave, for the Dotclear Team.
> >> > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <
vuls(a)jpcert.or.jp
> >
> >> > > wrote:
> >> > > > > > > To whom it may concern,
> >> > > > > > >
> >> > > > > > > Hello. This is Noriko Takahashi from
JPCERT/CC
> Vulnerability
> >> > > > > > > Handling Team. Please excuse the sudden
contact.
> >> > > > > > >
> >> > > > > > > If you're not familiar with us or our
activities, please
> >> > > > > > > check the following websites for more
information.
> >> > > > > > >
> >> > > > > > >
http://www.jpcert.or.jp/english/
> >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> >> > > > > > >
> >> > > > >
> >> >
>
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> >> > > > > > >
http://jvn.jp/en/
> >> > > > > > >
> >> > > > > > > We have received a report of a vulnerability
found in the
> >> > > > > > > product "Dotclear 2.6.2" from a
researcher/user here in
> Japan
> >> > > > > > > under the vulnerability handling framework
called
> "Information
> >> > > > > > > Security Early Warning Partnership" and
the official
> >> announcement
> >> > > > > > > #235 "Software Vulnerability Related
Information Handling
> >> > Measures"
> >> > > > > > > which were designed by Ministry of Economy,
Trade and
> Industry
> >> > > > (METI),
> >> > > > > > > a Japanese cabinet.
> >> > > > > > >
> >> > > > > > > From the website
> >> > > > > > >
http://dotclear.org/contact
> >> > > > > > > we found this email address. We would like to
coordinate
> with
> >> you
> >> > > > > > > to solve the reported vulnerability, and your
cooperation
> would
> >> > be
> >> > > > > > > greatly appreciated.
> >> > > > > > >
> >> > > > > > > Before we provide you the details of the
reported
> >> vulnerability,
> >> > > > > > > we would like to know the appropriate
point-of-contact
> person,
> >> > > > > > > or department/group/team to communicate in
regards to this
> >> issue.
> >> > > > > > > It would be greatly appreciated if you could
provide us
the
> >> below
> >> > > > > > > information at your earliest convenience.
> >> > > > > > > -Name of the person/team who is in charge of
such issues
> >> > > > > > > -Email address
> >> > > > > > > -PGP key if available
> >> > > > > > >
> >> > > > > > > Once we receive your reply and and
point-of-contact
> >> information,
> >> > > > > > > we will then send you the original
vulnerability report
and
> the
> >> > > > > > > details either in a PGP encrypted message or
in a password
> >> > > protected
> >> > > > > > > zip file.
> >> > > > > > >
> >> > > > > > > If you have any questions or concerns, please
do not
> hesitate
> >> > > > > > > to contact us any time.
> >> > > > > > >
> >> > > > > > > Thank you in advance for your attention to
this email.
> >> > > > > > > We would very much appreciate your prompt
reply.
> >> > > > > > >
> >> > > > > > > Sincerely yours,
> >> > > > > > >
> >> > > > > > > Noriko Takahashi
> >> > > > > > > Leader of Vulnerability Handling Team
> >> > > > > > > Information Coordination Group
> >> > > > >
> >> >
======================================================================
> >> > > > > JPCERT Coordination Center (JPCERT/CC)
> >> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL:
> >> vuls(a)jpcert.or.jp
> >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52
D4 F8
8D
> 50
> >> FC
> >> > > > >
https://www.jpcert.or.jp/english http://jvn.jp/en/
> >> >
http://jvn.jp
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > > --
> >> > > > > Dotclear Team
> >> > > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > --
> >> > > > Dotclear Team
> >> > > > --
> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > >
http://ml.dotclear.org/listinfo/dev
> >> > > >
> >> > > --
> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > >
http://ml.dotclear.org/listinfo/dev
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Franck
> >> > --
> >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> >
http://ml.dotclear.org/listinfo/dev
> >> >
> >> --
> >> Dev mailing list - Dev(a)list.dotclear.org -
> >>
http://ml.dotclear.org/listinfo/dev
> >>
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
>
http://ml.dotclear.org/listinfo/dev
> --
> Dev mailing list - Dev(a)list.dotclear.org -
>
http://ml.dotclear.org/listinfo/dev
>
--
Franck
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev