[Dotclear Dev] Fwd: [Open Time] Fwd: XSS in dotclear

Plop ? la XSS swfupload n'est pas complètement corrigée, cf ci-dessous. ---------- Forwarded message ---------- From: mala <mala(a)ma.la&gt; Date: 2013/5/7 Subject: [Open Time] Fwd: XSS in dotclear To: carnet.franck.paul(a)gmail.com Bonjour, Vous avez reçu un message venant de la page contact de votre blog. Blog : Open Time Message de : mala <mala(a)ma.la&gt; Site web : Message : ----------------------------------------------------------- ---------- Forwarded message ---------- From: mala <mala(a)ma.la&gt; Date: Sat, May 4, 2013 at 5:50 PM Subject: XSS in dotclear, dotclear.org To: security(a)dotclear.net Dear dotclear security team, Hi, I'm Japanese programmer/security researcher. This is wrong method to fix vuln. http://dev.dotclear.org/2.0/changeset/1115 Example: http://dotclear.org/?pf=swfupload.swf#?&movieName="])}catch(e){a... -- Franck