J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez
vérifier demain avec la nightly ? (branche 2.6)
2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
Where is your patch Julien ? :-D
2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
>
>
> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
>
> > moi je vois en clair dans le source:
> >
> > <input type="submit" value="ok" /></p><input
type="hidden"
> name="xd_check" value="e583662b0e24493bb6d9e67cdfdc03140104694a"
/><input
> type="hidden" name="q" value=""><img src=0
onerror=alert(document.cookie)>"
> /><input type="hidden" name="qtype" value="p"
/></div></form><form
> action="/blog/admin/search.php" method="get"><div
class="pager"><ul><li
> class="first no-link btn"><img
src="images/pagination/no-first.png"
> alt="Première page"/></li><li class="prev no-link
btn"><img
> src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li
> class="active"><strong>Page 1 / 16</strong></li><li
class="next btn"><a
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
> src="images/pagination/next.png" alt="Page
suivante"/></a><span
> class="hidden">Page suivante</span></li><li
class="last btn"><a
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
> src="images/pagination/last.png" alt="Dernière
page"/></a><span
> class="hidden">Dernière page</span></li><li
class="direct-access">Aller à
> la page : <input type="text" size="3" name="page"
maxlength="10" /><input
> type="submit" value="ok" class="reset"
name="ok" /><input type="hidden"
> name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input
> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
> page</h3>
> >
> >
> > (cherche "xd_check")
> >
> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais je
> vois
> > quand même bien qu'on échappe pas l'entrée utilisateur alors qu'on
le
> > devrait.
> >
> >
> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> >
> >> Re,
> >>
> >>
> >> 2014-07-08 17:28 GMT+02:00 Franck Paul
<carnet.franck.paul(a)gmail.com>:
> >>
> >> > Apparemment c'est un problème côté firefox, pas Dotclear. les
chaînes
> >> sont
> >> > à priori bien échappées à la recherche et à l'affichage.
> >> >
> >> > Et oui Franck, sinon le problème existerait quel que soit le
> navigateur.
> >>
> >>
> >>
> >> >
> >> > 2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
> >> >
> >> > > Je reproduis avec Firefox seulement aussi, sur la version 2.6.3
et
> >> > 2.7-dev
> >> > > --
> >> > > Philippe
> >> > >
> >> > >
> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
> >> > > > Je reproduis aussi mais uniquement avec le panda bleu ! :-)
> >> > > >
> >> > > >
> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
> >> > > >
> >> > > >> je reproduis sur mon blog (mais qui a pas la dernière
version)
> >> > > >>
> >> > > >>
> >> > > >> On 8 July 2014 16:26, Franck Paul
<carnet.franck.paul(a)gmail.com
> >
> >> > wrote:
> >> > > >>
> >> > > >> > JPCERT97966327
> >> > > >> >
> >> > > >> >
> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com
> >:
> >> > > >> >
> >> > > >> > > faut le mot de passe :)
> >> > > >> > >
> >> > > >> > >
> >> > > >> > > On 8 July 2014 16:04, Dotclear (contact) <
> contact(a)dotclear.net
> >> >
> >> > > wrote:
> >> > > >> > >
> >> > > >> > > > L'archive qui détaille un peu tout :
> >> > > >> > > >
> >> >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> >> > > >> > > >
> >> > > >> > > >
> >> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear
(contact) <
> >> > > contact(a)dotclear.net
> >> > > >> >:
> >> > > >> > > >
> >> > > >> > > > > Jour les gens,
> >> > > >> > > > >
> >> > > >> > > > > On a reçu ce matin un rapport au
sujet d'une faille XSS
> >> (voir
> >> > > >> > > ci-dessous,
> >> > > >> > > > > le mot de passe de l'archive est
JPCERT97966327) mais je
> >> > > n'arrive
> >> > > >> > pas à
> >> > > >> > > > > reproduire la faille.
> >> > > >> > > > > Quelqu'un peut regarder ça de son
côté ?
> >> > > >> > > > >
> >> > > >> > > > > Franck
> >> > > >> > > > >
> >> > > >> > > > > ---------- Forwarded message
----------
> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
> >> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00
> >> > > >> > > > > Subject: Re: Inquiry on vulnerability
found in Dotclear
> >> 2.6.3
> >> > > VN:
> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> >> > > >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
> >> > > >> > > > >
> >> > > >> > > > >
> >> > > >> > > > > Hello xave @ the Dotclear Team,
> >> > > >> > > > >
> >> > > >> > > > > We have received a vulnerability
report for one of your
> >> > > products:
> >> > > >> > > > >
> >> > > >> > > > > - Dotclear 2.6.3 vulnerable to
cross-site scripting
> >> > > >> > > > >
> >> > > >> > > > > I have attached the details of the
reported
> vulnerability
> >> to
> >> > > this
> >> > > >> > > email.
> >> > > >> > > > > The password for the zip file will be
sent in a separate
> >> > email.
> >> > > >> > > > > The original report was against
version 2.6.2, but the
> >> issue
> >> > was
> >> > > >> also
> >> > > >> > > > > verified to still exist in 2.6.3.
Please see the report
> for
> >> > more
> >> > > >> > > details.
> >> > > >> > > > >
> >> > > >> > > > > Please take a look at the report and
return to us with
> the
> >> > > >> > information
> >> > > >> > > > > such as;
> >> > > >> > > > > -validate the products, and whether
the reported
> >> > vulnerability
> >> > > is
> >> > > >> > > > > confirmed or not
> >> > > >> > > > > -solutions (e.g., patch or module
update)
> >> > > >> > > > > -workarounds if any
> >> > > >> > > > > -estimated time for creation of
fixes
> >> > > >> > > > > -preferable date for public release
on your site
> >> > > >> > > > > *we will also publish an advisory
for this issue on
> our
> >> > > >> > vulnerability
> >> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
>
http://jvn.jp/en/,
> >> > > >> > > > > synchronizing with your release
schedule.
> >> > > >> > > > >
> >> > > >> > > > > **Caution**
> >> > > >> > > > > We have assigned the tracking
number for this
> >> vulnerability
> >> > > >> issue;
> >> > > >> > > > > [VN: JVN#61637002 / TN:
JPCERT#97966327]
> >> > > >> > > > > Please be sure to include these
numbers in the subject
> >> line
> >> > > for
> >> > > >> > > > > future communication with us. We
appreciate your
> >> > cooperation
> >> > > on
> >> > > >> > > this.
> >> > > >> > > > >
> >> > > >> > > > > If you have any questions and
concerns, please do not
> >> hesitate
> >> > > to
> >> > > >> > > > > contact us any time.
> >> > > >> > > > >
> >> > > >> > > > > Thank you in advance for your
attention on this matter.
> >> > > >> > > > > We are looking forward to hearing
from you.
> >> > > >> > > > >
> >> > > >> > > > > Sincerely yours,
> >> > > >> > > > >
> >> > > >> > > > > Takayuki Uchiyama
> >> > > >> > > > > JPCERT/CC Vulnerability Handling
Team
> >> > > >> > > > >
> >> > > >> > > > > > Hello,
> >> > > >> > > > > >
> >> > > >> > > > > > Please be aware that Dotclear
2.6.2 is not the latest
> >> > version:
> >> > > >> > v2.6.3
> >> > > >> > > > > > was released in May to patch
vulnerabilities found in
> >> 2.6.2
> >> > > >> (listed
> >> > > >> > > at
> >> > > >> > > > > >
> >> > > >> > > > >
> >> > > >> > > >
> >> > > >> > >
> >> > > >> >
> >> > > >>
> >> > >
> >> >
> >>
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> >> > > >> > > > > > )
> >> > > >> > > > > >
> >> > > >> > > > > > If the vulnerabilities you found
are not the one
> listed
> >> and
> >> > > still
> >> > > >> > > > > > exist in 2.6.3, please send any
information to
> >> > > >> > security(a)dotclear.net
> >> > > >> > > > > > where you'll reach several
members of the team (we do
> not
> >> > use
> >> > > a
> >> > > >> GPG
> >> > > >> > > > > > key).
> >> > > >> > > > > >
> >> > > >> > > > > > xave, for the Dotclear Team.
> >> > > >> > > > > >
> >> > > >> > > > > >
> >> > > >> > > > > >
> >> > > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM,
JPCERT/CC <
> >> > vuls(a)jpcert.or.jp
> >> > > >
> >> > > >> > > wrote:
> >> > > >> > > > > > > To whom it may concern,
> >> > > >> > > > > > >
> >> > > >> > > > > > > Hello. This is Noriko
Takahashi from JPCERT/CC
> >> > > Vulnerability
> >> > > >> > > > > > > Handling Team. Please
excuse the sudden contact.
> >> > > >> > > > > > >
> >> > > >> > > > > > > If you're not familiar
with us or our activities,
> >> please
> >> > > >> > > > > > > check the following
websites for more information.
> >> > > >> > > > > > >
> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> >> > > >> > > > > > >
> >> > > >> > > > >
> >> > > >> >
> >> > >
> >>
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> >> > > >> > > > > > >
http://jvn.jp/en/
> >> > > >> > > > > > >
> >> > > >> > > > > > > We have received a report
of a vulnerability found
> in
> >> the
> >> > > >> > > > > > > product "Dotclear
2.6.2" from a researcher/user
> here in
> >> > > Japan
> >> > > >> > > > > > > under the vulnerability
handling framework called
> >> > > "Information
> >> > > >> > > > > > > Security Early Warning
Partnership" and the official
> >> > > >> announcement
> >> > > >> > > > > > > #235 "Software
Vulnerability Related Information
> >> Handling
> >> > > >> > Measures"
> >> > > >> > > > > > > which were designed by
Ministry of Economy, Trade
> and
> >> > > Industry
> >> > > >> > > > (METI),
> >> > > >> > > > > > > a Japanese cabinet.
> >> > > >> > > > > > >
> >> > > >> > > > > > > From the website
> >> > > >> > > > > > >
http://dotclear.org/contact
> >> > > >> > > > > > > we found this email
address. We would like to
> >> coordinate
> >> > > with
> >> > > >> you
> >> > > >> > > > > > > to solve the reported
vulnerability, and your
> >> cooperation
> >> > > would
> >> > > >> > be
> >> > > >> > > > > > > greatly appreciated.
> >> > > >> > > > > > >
> >> > > >> > > > > > > Before we provide you the
details of the reported
> >> > > >> vulnerability,
> >> > > >> > > > > > > we would like to know the
appropriate
> point-of-contact
> >> > > person,
> >> > > >> > > > > > > or department/group/team to
communicate in regards
> to
> >> this
> >> > > >> issue.
> >> > > >> > > > > > > It would be greatly
appreciated if you could
> provide us
> >> > the
> >> > > >> below
> >> > > >> > > > > > > information at your
earliest convenience.
> >> > > >> > > > > > > -Name of the person/team
who is in charge of such
> >> issues
> >> > > >> > > > > > > -Email address
> >> > > >> > > > > > > -PGP key if available
> >> > > >> > > > > > >
> >> > > >> > > > > > > Once we receive your reply
and and point-of-contact
> >> > > >> information,
> >> > > >> > > > > > > we will then send you the
original vulnerability
> report
> >> > and
> >> > > the
> >> > > >> > > > > > > details either in a PGP
encrypted message or in a
> >> password
> >> > > >> > > protected
> >> > > >> > > > > > > zip file.
> >> > > >> > > > > > >
> >> > > >> > > > > > > If you have any questions
or concerns, please do not
> >> > > hesitate
> >> > > >> > > > > > > to contact us any time.
> >> > > >> > > > > > >
> >> > > >> > > > > > > Thank you in advance for
your attention to this
> email.
> >> > > >> > > > > > > We would very much
appreciate your prompt reply.
> >> > > >> > > > > > >
> >> > > >> > > > > > > Sincerely yours,
> >> > > >> > > > > > >
> >> > > >> > > > > > > Noriko Takahashi
> >> > > >> > > > > > > Leader of Vulnerability
Handling Team
> >> > > >> > > > > > > Information Coordination
Group
> >> > > >> > > > >
> >> > > >> >
> >> >
> ======================================================================
> >> > > >> > > > > JPCERT Coordination Center
(JPCERT/CC)
> >> > > >> > > > > TEL: +81-3-3518-4600 FAX:
+81-3-3518-4602 EMAIL:
> >> > > >> vuls(a)jpcert.or.jp
> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D
39 19 29 63 89 52
> D4
> >> F8
> >> > 8D
> >> > > 50
> >> > > >> FC
> >> > > >> > > > >
https://www.jpcert.or.jp/english
http://jvn.jp/en/
> >> > > >> >
http://jvn.jp
> >> > > >> > > > >
> >> > > >> > > > >
> >> > > >> > > > >
> >> > > >> > > > > --
> >> > > >> > > > > Dotclear Team
> >> > > >> > > > >
> >> > > >> > > >
> >> > > >> > > >
> >> > > >> > > >
> >> > > >> > > > --
> >> > > >> > > > Dotclear Team
> >> > > >> > > > --
> >> > > >> > > > Dev mailing list - Dev(a)list.dotclear.org
-
> >> > > >> > > >
http://ml.dotclear.org/listinfo/dev
> >> > > >> > > >
> >> > > >> > > --
> >> > > >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > >> > >
http://ml.dotclear.org/listinfo/dev
> >> > > >> > >
> >> > > >> >
> >> > > >> >
> >> > > >> >
> >> > > >> > --
> >> > > >> > Franck
> >> > > >> > --
> >> > > >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > >> >
http://ml.dotclear.org/listinfo/dev
> >> > > >> >
> >> > > >> --
> >> > > >> Dev mailing list - Dev(a)list.dotclear.org -
> >> > > >>
http://ml.dotclear.org/listinfo/dev
> >> > > >>
> >> > > > --
> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > >
http://ml.dotclear.org/listinfo/dev
> >> > > --
> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > >
http://ml.dotclear.org/listinfo/dev
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Franck
> >> > --
> >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> >
http://ml.dotclear.org/listinfo/dev
> >> >
> >> --
> >> Dev mailing list - Dev(a)list.dotclear.org -
> >>
http://ml.dotclear.org/listinfo/dev
> >>
> >
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
>
http://ml.dotclear.org/listinfo/dev
>
--
Franck