[Dotclear Dev] Fwd: Fwd: [oss-security] Re: CVE Request: Dotclear: XSS vulnerability in comments managment page and media exclusion control enforcement
C'est passé en spam chez moi, l'avez-vous vu ?
---------- Forwarded message ----------
From: Aymeric (APLU) <dotclear(a)mulx.net>
Date: 2016-03-07 11:22 GMT+01:00
Subject: [Dotclear Dev] Fwd: [oss-security] Re: CVE Request: Dotclear: XSS
vulnerability in comments managment page and media exclusion control
enforcement
To: dev(a)list.dotclear.org
Bonjour,
Pour information, deux CVE ont été affecté à Dotclear pour des correctifs
sécurité effectués en 2.8.2.
Aymeric.
-------- Original Message --------
Subject: [oss-security] Re: CVE Request: Dotclear: XSS vulnerability in
comments managment page and media exclusion control enforcement
Date: 2016-03-07 04:04
From: cve-assign(a)mitre.org
To: carnil(a)debian.org
Cc: cve-assign(a)mitre.org, oss-security(a)lists.openwall.com
Reply-To: oss-security(a)lists.openwall.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dotclear, a web publishing software, fixed a cross-site scripting
vulnerability in 2.8.2. Additionally the media exlusion control in
the
media manager was furhter enforced:
https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2
The XSS vulnerability was fixed with
https://hg.dotclear.org/dotclear/rev/65e65154dadf
admin/comments.php
-
form::hidden(array('author'),preg_replace('/%/','%%',$author)).
+
form::hidden(array('author'),html::escapeHTML(preg_replace('/%/','%%',$author))).
Use CVE-2015-8831.
The second mentioned issue was addressed with
https://hg.dotclear.org/dotclear/rev/198580bc3d80
inc/core/class.dc.core.php
- array('media_exclusion','string','/\.php[0-9]*$/i',
+
array('media_exclusion','string','/\.(phps?|pht(ml)?|phl)[0-9]*$/i',
Use CVE-2015-8832.
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJW3O4DAAoJEL54rhJi8gl5MnsQALSILA8PaHLFRRQbrXcz43e/
PGGgyWrqqZQY5KvfLkDmcTSR7D9JuIFfQa0jU6I88h62PZ0jk8nWwrWdozOchgZW
fyO2Zbdh3BMO3RW+hMnTpKVq66WvSFSs1vFIAG6y44RY7ddWCjVLWYw1r7MJnnNW
gzyqH4QrMUFMr3eki8rWOWXX4gCZ104D25eChC406M08QGBO77xSYn5llK68CraS
2HRFuVtUleHMgS/JkBS6VWd2dBYNQPaHtIUM+THvDePh9HV+J4jrS24qc6cDEsHR
uFP/8oAn47ob8sJeSfdZp4Rqq8r12aOFsHReCQa69N/gaXtLdEFAuKJSx+yCClAR
v0XcmlWUeum/3zr+/vTBXj+K+IESHPOWZl6YxuW125c1KgSba2rkeuORT/nq4R1l
vraRd479fpA22+s5ii81EjxtEgGMKT/woHdxlJRgJeBCtiuXRYcoanS4QmNfw00C
wasOMNYaaYwJtBOMDEgCLFZlvO3/7EuWPFZidoKTGc58o4fwz3TXEG7Ez8rVL9EF
CaIzjl9wx5MLaLQhj6G8SgM3+mtDPN7/yLfDj0E7nhSsY9Sr98NXdlBIvrEbkNGK
FBOFE/xQxzNKSDQI7+p+7pQ5drpIK/53GwcgVw4dbepNgJNn6DQVzDhiN92o+Kwx
vMgmqdP5oqnZIf7Ya+V7
=0vja
-----END PGP SIGNATURE-----
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev