Les deux autres endroits sont, je pense, les boutons de pagination
(inc/admin/lib.pager.php)
2014-07-10 10:56 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
mmm c'est pas un peu bourrin? ça risque pas de péter les
recherches parfois
?
ce que je fais généralement, c'est deux variables: une "échappée" que
j'utilise dès que je veux écrire, une "non échappée" pour les appels
d'API.
Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois
un avec le form::field là, mais je vois pas les autres
On 10 July 2014 10:36, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
> J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez
> vérifier demain avec la nightly ? (branche 2.6)
>
>
> 2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
>
> > Where is your patch Julien ? :-D
> >
> >
> > 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> >
> > note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
> >>
> >>
> >> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
> >>
> >> > moi je vois en clair dans le source:
> >> >
> >> > <input type="submit" value="ok"
/></p><input type="hidden"
> >> name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a"
> /><input
> >> type="hidden" name="q" value=""><img
src=0
> onerror=alert(document.cookie)>"
> >> /><input type="hidden" name="qtype"
value="p" /></div></form><form
> >> action="/blog/admin/search.php"
method="get"><div
class="pager"><ul><li
> >> class="first no-link btn"><img
src="images/pagination/no-first.png"
> >> alt="Première page"/></li><li class="prev
no-link btn"><img
> >> src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li
> >> class="active"><strong>Page 1 /
16</strong></li><li class="next
btn"><a
> >>
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
> >> src="images/pagination/next.png" alt="Page
suivante"/></a><span
> >> class="hidden">Page suivante</span></li><li
class="last btn"><a
> >>
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
> >> src="images/pagination/last.png" alt="Dernière
page"/></a><span
> >> class="hidden">Dernière page</span></li><li
class="direct-access">Aller
> à
> >> la page : <input type="text" size="3"
name="page" maxlength="10"
> /><input
> >> type="submit" value="ok" class="reset"
name="ok" /><input
type="hidden"
> >> name="q" value=""><img src=0
onerror=alert(document.cookie)>"
/><input
> >> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
> >> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
> >> page</h3>
> >> >
> >> >
> >> > (cherche "xd_check")
> >> >
> >> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien,
mais
je
> >> vois
> >> > quand même bien qu'on échappe pas l'entrée utilisateur alors
qu'on
le
> >> > devrait.
> >> >
> >> >
> >> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> >> >
> >> >> Re,
> >> >>
> >> >>
> >> >> 2014-07-08 17:28 GMT+02:00 Franck Paul <
carnet.franck.paul(a)gmail.com
> >:
> >> >>
> >> >> > Apparemment c'est un problème côté firefox, pas Dotclear.
les
> chaînes
> >> >> sont
> >> >> > à priori bien échappées à la recherche et à l'affichage.
> >> >> >
> >> >> > Et oui Franck, sinon le problème existerait quel que soit le
> >> navigateur.
> >> >>
> >> >>
> >> >>
> >> >> >
> >> >> > 2014-07-08 17:06 GMT+02:00 Philippe
<philippe(a)dissitou.org>:
> >> >> >
> >> >> > > Je reproduis avec Firefox seulement aussi, sur la
version 2.6.3
> et
> >> >> > 2.7-dev
> >> >> > > --
> >> >> > > Philippe
> >> >> > >
> >> >> > >
> >> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas
<nikrou77(a)gmail.com>:
> >> >> > > > Je reproduis aussi mais uniquement avec le panda
bleu ! :-)
> >> >> > > >
> >> >> > > >
> >> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com
>:
> >> >> > > >
> >> >> > > >> je reproduis sur mon blog (mais qui a pas la
dernière
version)
> >> >> > > >>
> >> >> > > >>
> >> >> > > >> On 8 July 2014 16:26, Franck Paul <
> carnet.franck.paul(a)gmail.com
> >> >
> >> >> > wrote:
> >> >> > > >>
> >> >> > > >> > JPCERT97966327
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<
> felash(a)gmail.com
> >> >:
> >> >> > > >> >
> >> >> > > >> > > faut le mot de passe :)
> >> >> > > >> > >
> >> >> > > >> > >
> >> >> > > >> > > On 8 July 2014 16:04, Dotclear
(contact) <
> >> contact(a)dotclear.net
> >> >> >
> >> >> > > wrote:
> >> >> > > >> > >
> >> >> > > >> > > > L'archive qui détaille un
peu tout :
> >> >> > > >> > > >
> >> >> >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > > 2014-07-08 15:08 GMT+02:00
Dotclear (contact) <
> >> >> > > contact(a)dotclear.net
> >> >> > > >> >:
> >> >> > > >> > > >
> >> >> > > >> > > > > Jour les gens,
> >> >> > > >> > > > >
> >> >> > > >> > > > > On a reçu ce matin un
rapport au sujet d'une faille
> XSS
> >> >> (voir
> >> >> > > >> > > ci-dessous,
> >> >> > > >> > > > > le mot de passe de
l'archive est JPCERT97966327)
mais
> je
> >> >> > > n'arrive
> >> >> > > >> > pas à
> >> >> > > >> > > > > reproduire la faille.
> >> >> > > >> > > > > Quelqu'un peut regarder
ça de son côté ?
> >> >> > > >> > > > >
> >> >> > > >> > > > > Franck
> >> >> > > >> > > > >
> >> >> > > >> > > > > ---------- Forwarded
message ----------
> >> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
> >> >> > > >> > > > > Date: 2014-07-08 4:36
GMT+02:00
> >> >> > > >> > > > > Subject: Re: Inquiry on
vulnerability found in
> Dotclear
> >> >> 2.6.3
> >> >> > > VN:
> >> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> >> >> > > >> > > > > To: Dotclear Development
Team <contact(a)dotclear.net
>
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > > Hello xave @ the Dotclear
Team,
> >> >> > > >> > > > >
> >> >> > > >> > > > > We have received a
vulnerability report for one of
> your
> >> >> > > products:
> >> >> > > >> > > > >
> >> >> > > >> > > > > - Dotclear 2.6.3
vulnerable to cross-site
scripting
> >> >> > > >> > > > >
> >> >> > > >> > > > > I have attached the details
of the reported
> >> vulnerability
> >> >> to
> >> >> > > this
> >> >> > > >> > > email.
> >> >> > > >> > > > > The password for the zip
file will be sent in a
> separate
> >> >> > email.
> >> >> > > >> > > > > The original report was
against version 2.6.2, but
the
> >> >> issue
> >> >> > was
> >> >> > > >> also
> >> >> > > >> > > > > verified to still exist in
2.6.3. Please see the
> report
> >> for
> >> >> > more
> >> >> > > >> > > details.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Please take a look at the
report and return to us
with
> >> the
> >> >> > > >> > information
> >> >> > > >> > > > > such as;
> >> >> > > >> > > > > -validate the products,
and whether the reported
> >> >> > vulnerability
> >> >> > > is
> >> >> > > >> > > > > confirmed or not
> >> >> > > >> > > > > -solutions (e.g., patch or
module update)
> >> >> > > >> > > > > -workarounds if any
> >> >> > > >> > > > > -estimated time for
creation of fixes
> >> >> > > >> > > > > -preferable date for
public release on your site
> >> >> > > >> > > > > *we will also publish an
advisory for this issue
on
> >> our
> >> >> > > >> > vulnerability
> >> >> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
> >>
http://jvn.jp/en/,
> >> >> > > >> > > > > synchronizing with your
release schedule.
> >> >> > > >> > > > >
> >> >> > > >> > > > > **Caution**
> >> >> > > >> > > > > We have assigned the
tracking number for this
> >> >> vulnerability
> >> >> > > >> issue;
> >> >> > > >> > > > > [VN: JVN#61637002 / TN:
JPCERT#97966327]
> >> >> > > >> > > > > Please be sure to include
these numbers in the
> subject
> >> >> line
> >> >> > > for
> >> >> > > >> > > > > future communication with
us. We appreciate your
> >> >> > cooperation
> >> >> > > on
> >> >> > > >> > > this.
> >> >> > > >> > > > >
> >> >> > > >> > > > > If you have any questions
and concerns, please do
not
> >> >> hesitate
> >> >> > > to
> >> >> > > >> > > > > contact us any time.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Thank you in advance for
your attention on this
> matter.
> >> >> > > >> > > > > We are looking forward to
hearing from you.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Sincerely yours,
> >> >> > > >> > > > >
> >> >> > > >> > > > > Takayuki Uchiyama
> >> >> > > >> > > > > JPCERT/CC Vulnerability
Handling Team
> >> >> > > >> > > > >
> >> >> > > >> > > > > > Hello,
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > Please be aware that
Dotclear 2.6.2 is not the
> latest
> >> >> > version:
> >> >> > > >> > v2.6.3
> >> >> > > >> > > > > > was released in May to
patch vulnerabilities found
> in
> >> >> 2.6.2
> >> >> > > >> (listed
> >> >> > > >> > > at
> >> >> > > >> > > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > >
> >> >> > > >> > >
> >> >> > > >> >
> >> >> > > >>
> >> >> > >
> >> >> >
> >> >>
> >>
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> >> >> > > >> > > > > > )
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > If the vulnerabilities
you found are not the one
> >> listed
> >> >> and
> >> >> > > still
> >> >> > > >> > > > > > exist in 2.6.3, please
send any information to
> >> >> > > >> > security(a)dotclear.net
> >> >> > > >> > > > > > where you'll reach
several members of the team (we
> do
> >> not
> >> >> > use
> >> >> > > a
> >> >> > > >> GPG
> >> >> > > >> > > > > > key).
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > xave, for the Dotclear
Team.
> >> >> > > >> > > > > >
> >> >> > > >> > > > > >
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > On Wed, Jun 25, 2014
at 5:10 AM, JPCERT/CC <
> >> >> > vuls(a)jpcert.or.jp
> >> >> > > >
> >> >> > > >> > > wrote:
> >> >> > > >> > > > > > > To whom it may
concern,
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Hello. This is
Noriko Takahashi from JPCERT/CC
> >> >> > > Vulnerability
> >> >> > > >> > > > > > > Handling Team.
Please excuse the sudden
contact.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > If you're not
familiar with us or our
activities,
> >> >> please
> >> >> > > >> > > > > > > check the
following websites for more
information.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> >> >> > > >> > > > > > >
> >> >> > > >> > > > >
> >> >> > > >> >
> >> >> > >
> >> >>
>
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> >> >> > > >> > > > > > >
http://jvn.jp/en/
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > We have received
a report of a vulnerability
found
> >> in
> >> >> the
> >> >> > > >> > > > > > > product
"Dotclear 2.6.2" from a researcher/user
> >> here in
> >> >> > > Japan
> >> >> > > >> > > > > > > under the
vulnerability handling framework
called
> >> >> > > "Information
> >> >> > > >> > > > > > > Security Early
Warning Partnership" and the
> official
> >> >> > > >> announcement
> >> >> > > >> > > > > > > #235
"Software Vulnerability Related Information
> >> >> Handling
> >> >> > > >> > Measures"
> >> >> > > >> > > > > > > which were
designed by Ministry of Economy,
Trade
> >> and
> >> >> > > Industry
> >> >> > > >> > > > (METI),
> >> >> > > >> > > > > > > a Japanese
cabinet.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > From the website
> >> >> > > >> > > > > > >
http://dotclear.org/contact
> >> >> > > >> > > > > > > we found this
email address. We would like to
> >> >> coordinate
> >> >> > > with
> >> >> > > >> you
> >> >> > > >> > > > > > > to solve the
reported vulnerability, and your
> >> >> cooperation
> >> >> > > would
> >> >> > > >> > be
> >> >> > > >> > > > > > > greatly
appreciated.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Before we provide
you the details of the
reported
> >> >> > > >> vulnerability,
> >> >> > > >> > > > > > > we would like to
know the appropriate
> >> point-of-contact
> >> >> > > person,
> >> >> > > >> > > > > > > or
department/group/team to communicate in
regards
> >> to
> >> >> this
> >> >> > > >> issue.
> >> >> > > >> > > > > > > It would be
greatly appreciated if you could
> >> provide us
> >> >> > the
> >> >> > > >> below
> >> >> > > >> > > > > > > information at
your earliest convenience.
> >> >> > > >> > > > > > > -Name of the
person/team who is in charge of
such
> >> >> issues
> >> >> > > >> > > > > > > -Email address
> >> >> > > >> > > > > > > -PGP key if
available
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Once we receive
your reply and and
> point-of-contact
> >> >> > > >> information,
> >> >> > > >> > > > > > > we will then send
you the original vulnerability
> >> report
> >> >> > and
> >> >> > > the
> >> >> > > >> > > > > > > details either in
a PGP encrypted message or in
a
> >> >> password
> >> >> > > >> > > protected
> >> >> > > >> > > > > > > zip file.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > If you have any
questions or concerns, please do
> not
> >> >> > > hesitate
> >> >> > > >> > > > > > > to contact us any
time.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Thank you in
advance for your attention to this
> >> email.
> >> >> > > >> > > > > > > We would very
much appreciate your prompt reply.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Sincerely yours,
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Noriko Takahashi
> >> >> > > >> > > > > > > Leader of
Vulnerability Handling Team
> >> >> > > >> > > > > > > Information
Coordination Group
> >> >> > > >> > > > >
> >> >> > > >> >
> >> >> >
> >> ======================================================================
> >> >> > > >> > > > > JPCERT Coordination Center
(JPCERT/CC)
> >> >> > > >> > > > > TEL: +81-3-3518-4600 FAX:
+81-3-3518-4602 EMAIL:
> >> >> > > >> vuls(a)jpcert.or.jp
> >> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8
68 35 2D 39 19 29 63 89
52
> >> D4
> >> >> F8
> >> >> > 8D
> >> >> > > 50
> >> >> > > >> FC
> >> >> > > >> > > > >
https://www.jpcert.or.jp/english
http://jvn.jp/en/
> >> >> > > >> >
http://jvn.jp
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > > --
> >> >> > > >> > > > > Dotclear Team
> >> >> > > >> > > > >
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > > --
> >> >> > > >> > > > Dotclear Team
> >> >> > > >> > > > --
> >> >> > > >> > > > Dev mailing list -
Dev(a)list.dotclear.org -
> >> >> > > >> > > >
http://ml.dotclear.org/listinfo/dev
> >> >> > > >> > > >
> >> >> > > >> > > --
> >> >> > > >> > > Dev mailing list -
Dev(a)list.dotclear.org -
> >> >> > > >> > >
http://ml.dotclear.org/listinfo/dev
> >> >> > > >> > >
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> > --
> >> >> > > >> > Franck
> >> >> > > >> > --
> >> >> > > >> > Dev mailing list - Dev(a)list.dotclear.org
-
> >> >> > > >> >
http://ml.dotclear.org/listinfo/dev
> >> >> > > >> >
> >> >> > > >> --
> >> >> > > >> Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > > >>
http://ml.dotclear.org/listinfo/dev
> >> >> > > >>
> >> >> > > > --
> >> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > >
http://ml.dotclear.org/listinfo/dev
> >> >> > > --
> >> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > >
http://ml.dotclear.org/listinfo/dev
> >> >> > >
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Franck
> >> >> > --
> >> >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> >
http://ml.dotclear.org/listinfo/dev
> >> >> >
> >> >> --
> >> >> Dev mailing list - Dev(a)list.dotclear.org -
> >> >>
http://ml.dotclear.org/listinfo/dev
> >> >>
> >> >
> >> >
> >> --
> >> Dev mailing list - Dev(a)list.dotclear.org -
> >>
http://ml.dotclear.org/listinfo/dev
> >>
> >
> >
> >
> > --
> > Franck
> >
>
>
>
> --
> Franck
> --
> Dev mailing list - Dev(a)list.dotclear.org -
>
http://ml.dotclear.org/listinfo/dev
>
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev