Fwd: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
3:08 p.m.
Jour les gens,
On a reçu ce matin un rapport au sujet d'une faille XSS (voir ci-dessous,
le mot de passe de l'archive est JPCERT97966327) mais je n'arrive pas à
reproduire la faille.
Quelqu'un peut regarder ça de son côté ?
Franck
---------- Forwarded message ----------
From: JPCERT/CC <vuls(a)jpcert.or.jp>
Date: 2014-07-08 4:36 GMT+02:00
Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN:
JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
To: Dotclear Development Team <contact(a)dotclear.net>
Hello xave @ the Dotclear Team,
We have received a vulnerability report for one of your products:
- Dotclear 2.6.3 vulnerable to cross-site scripting
I have attached the details of the reported vulnerability to this email.
The password for the zip file will be sent in a separate email.
The original report was against version 2.6.2, but the issue was also
verified to still exist in 2.6.3. Please see the report for more details.
Please take a look at the report and return to us with the information
such as;
-validate the products, and whether the reported vulnerability is
confirmed or not
-solutions (e.g., patch or module update)
-workarounds if any
-estimated time for creation of fixes
-preferable date for public release on your site
*we will also publish an advisory for this issue on our vulnerability
knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/,
synchronizing with your release schedule.
**Caution**
We have assigned the tracking number for this vulnerability issue;
[VN: JVN#61637002 / TN: JPCERT#97966327]
Please be sure to include these numbers in the subject line for
future communication with us. We appreciate your cooperation on this.
If you have any questions and concerns, please do not hesitate to
contact us any time.
Thank you in advance for your attention on this matter.
We are looking forward to hearing from you.
Sincerely yours,
Takayuki Uchiyama
JPCERT/CC Vulnerability Handling Team
Hello,
Please be aware that Dotclear 2.6.2 is not the latest version: v2.6.3
was released in May to patch vulnerabilities found in 2.6.2 (listed at
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
)
If the vulnerabilities you found are not the one listed and still
exist in 2.6.3, please send any information to security(a)dotclear.net
where you'll reach several members of the team (we do not use a GPG
key).
xave, for the Dotclear Team.
On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <vuls(a)jpcert.or.jp> wrote:
> To whom it may concern,
>
> Hello. This is Noriko Takahashi from JPCERT/CC Vulnerability
> Handling Team. Please excuse the sudden contact.
>
> If you're not familiar with us or our activities, please
> check the following websites for more information.
>
> http://www.jpcert.or.jp/english/
> http://www.jpcert.or.jp/english/vh/project.html
> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> http://jvn.jp/en/
>
> We have received a report of a vulnerability found in the
> product "Dotclear 2.6.2" from a researcher/user here in Japan
> under the vulnerability handling framework called "Information
> Security Early Warning Partnership" and the official announcement
> #235 "Software Vulnerability Related Information Handling Measures"
> which were designed by Ministry of Economy, Trade and Industry (METI),
> a Japanese cabinet.
>
> From the website
> http://dotclear.org/contact
> we found this email address. We would like to coordinate with you
> to solve the reported vulnerability, and your cooperation would be
> greatly appreciated.
>
> Before we provide you the details of the reported vulnerability,
> we would like to know the appropriate point-of-contact person,
> or department/group/team to communicate in regards to this issue.
> It would be greatly appreciated if you could provide us the below
> information at your earliest convenience.
> -Name of the person/team who is in charge of such issues
> -Email address
> -PGP key if available
>
> Once we receive your reply and and point-of-contact information,
> we will then send you the original vulnerability report and the
> details either in a PGP encrypted message or in a password protected
> zip file.
>
> If you have any questions or concerns, please do not hesitate
> to contact us any time.
>
> Thank you in advance for your attention to this email.
> We would very much appreciate your prompt reply.
>
> Sincerely yours,
>
> Noriko Takahashi
> Leader of Vulnerability Handling Team
> Information Coordination Group
======================================================================
JPCERT Coordination Center (JPCERT/CC)
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls(a)jpcert.or.jp
PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 FC
https://www.jpcert.or.jp/english http://jvn.jp/en/ http://jvn.jp
--
Dotclear Team
4:04 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
L'archive qui détaille un peu tout :
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
2014-07-08 15:08 GMT+02:00 Dotclear (contact) <contact(a)dotclear.net>:
Jour les gens,
On a reçu ce matin un rapport au sujet d'une faille XSS (voir ci-dessous,
le mot de passe de l'archive est JPCERT97966327) mais je n'arrive pas à
reproduire la faille.
Quelqu'un peut regarder ça de son côté ?
Franck
---------- Forwarded message ----------
From: JPCERT/CC <vuls(a)jpcert.or.jp>
Date: 2014-07-08 4:36 GMT+02:00
Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN:
JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
To: Dotclear Development Team <contact(a)dotclear.net>
Hello xave @ the Dotclear Team,
We have received a vulnerability report for one of your products:
- Dotclear 2.6.3 vulnerable to cross-site scripting
I have attached the details of the reported vulnerability to this email.
The password for the zip file will be sent in a separate email.
The original report was against version 2.6.2, but the issue was also
verified to still exist in 2.6.3. Please see the report for more details.
Please take a look at the report and return to us with the information
such as;
-validate the products, and whether the reported vulnerability is
confirmed or not
-solutions (e.g., patch or module update)
-workarounds if any
-estimated time for creation of fixes
-preferable date for public release on your site
*we will also publish an advisory for this issue on our vulnerability
knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/,
synchronizing with your release schedule.
**Caution**
We have assigned the tracking number for this vulnerability issue;
[VN: JVN#61637002 / TN: JPCERT#97966327]
Please be sure to include these numbers in the subject line for
future communication with us. We appreciate your cooperation on this.
If you have any questions and concerns, please do not hesitate to
contact us any time.
Thank you in advance for your attention on this matter.
We are looking forward to hearing from you.
Sincerely yours,
Takayuki Uchiyama
JPCERT/CC Vulnerability Handling Team
> Hello,
>
> Please be aware that Dotclear 2.6.2 is not the latest version: v2.6.3
> was released in May to patch vulnerabilities found in 2.6.2 (listed at
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> )
>
> If the vulnerabilities you found are not the one listed and still
> exist in 2.6.3, please send any information to security(a)dotclear.net
> where you'll reach several members of the team (we do not use a GPG
> key).
>
> xave, for the Dotclear Team.
>
>
>
> On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <vuls(a)jpcert.or.jp> wrote:
> > To whom it may concern,
> >
> > Hello. This is Noriko Takahashi from JPCERT/CC Vulnerability
> > Handling Team. Please excuse the sudden contact.
> >
> > If you're not familiar with us or our activities, please
> > check the following websites for more information.
> >
> > http://www.jpcert.or.jp/english/
> > http://www.jpcert.or.jp/english/vh/project.html
> >
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > http://jvn.jp/en/
> >
> > We have received a report of a vulnerability found in the
> > product "Dotclear 2.6.2" from a researcher/user here in Japan
> > under the vulnerability handling framework called "Information
> > Security Early Warning Partnership" and the official announcement
> > #235 "Software Vulnerability Related Information Handling Measures"
> > which were designed by Ministry of Economy, Trade and Industry (METI),
> > a Japanese cabinet.
> >
> > From the website
> > http://dotclear.org/contact
> > we found this email address. We would like to coordinate with you
> > to solve the reported vulnerability, and your cooperation would be
> > greatly appreciated.
> >
> > Before we provide you the details of the reported vulnerability,
> > we would like to know the appropriate point-of-contact person,
> > or department/group/team to communicate in regards to this issue.
> > It would be greatly appreciated if you could provide us the below
> > information at your earliest convenience.
> > -Name of the person/team who is in charge of such issues
> > -Email address
> > -PGP key if available
> >
> > Once we receive your reply and and point-of-contact information,
> > we will then send you the original vulnerability report and the
> > details either in a PGP encrypted message or in a password protected
> > zip file.
> >
> > If you have any questions or concerns, please do not hesitate
> > to contact us any time.
> >
> > Thank you in advance for your attention to this email.
> > We would very much appreciate your prompt reply.
> >
> > Sincerely yours,
> >
> > Noriko Takahashi
> > Leader of Vulnerability Handling Team
> > Information Coordination Group
======================================================================
JPCERT Coordination Center (JPCERT/CC)
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls(a)jpcert.or.jp
PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 FC
https://www.jpcert.or.jp/english http://jvn.jp/en/ http://jvn.jp
--
Dotclear Team
--
Dotclear Team
4:22 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
faut le mot de passe :)
On 8 July 2014 16:04, Dotclear (contact) <contact(a)dotclear.net> wrote:
L'archive qui détaille un peu tout :
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
2014-07-08 15:08 GMT+02:00 Dotclear (contact) <contact(a)dotclear.net>:
> Jour les gens,
>
> On a reçu ce matin un rapport au sujet d'une faille XSS (voir ci-dessous,
> le mot de passe de l'archive est JPCERT97966327) mais je n'arrive pas à
> reproduire la faille.
> Quelqu'un peut regarder ça de son côté ?
>
> Franck
>
> ---------- Forwarded message ----------
> From: JPCERT/CC <vuls(a)jpcert.or.jp>
> Date: 2014-07-08 4:36 GMT+02:00
> Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN:
> JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
> To: Dotclear Development Team <contact(a)dotclear.net>
>
>
> Hello xave @ the Dotclear Team,
>
> We have received a vulnerability report for one of your products:
>
> - Dotclear 2.6.3 vulnerable to cross-site scripting
>
> I have attached the details of the reported vulnerability to this email.
> The password for the zip file will be sent in a separate email.
> The original report was against version 2.6.2, but the issue was also
> verified to still exist in 2.6.3. Please see the report for more details.
>
> Please take a look at the report and return to us with the information
> such as;
> -validate the products, and whether the reported vulnerability is
> confirmed or not
> -solutions (e.g., patch or module update)
> -workarounds if any
> -estimated time for creation of fixes
> -preferable date for public release on your site
> *we will also publish an advisory for this issue on our vulnerability
> knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/,
> synchronizing with your release schedule.
>
> **Caution**
> We have assigned the tracking number for this vulnerability issue;
> [VN: JVN#61637002 / TN: JPCERT#97966327]
> Please be sure to include these numbers in the subject line for
> future communication with us. We appreciate your cooperation on this.
>
> If you have any questions and concerns, please do not hesitate to
> contact us any time.
>
> Thank you in advance for your attention on this matter.
> We are looking forward to hearing from you.
>
> Sincerely yours,
>
> Takayuki Uchiyama
> JPCERT/CC Vulnerability Handling Team
>
> > Hello,
> >
> > Please be aware that Dotclear 2.6.2 is not the latest version: v2.6.3
> > was released in May to patch vulnerabilities found in 2.6.2 (listed at
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > )
> >
> > If the vulnerabilities you found are not the one listed and still
> > exist in 2.6.3, please send any information to security(a)dotclear.net
> > where you'll reach several members of the team (we do not use a GPG
> > key).
> >
> > xave, for the Dotclear Team.
> >
> >
> >
> > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <vuls(a)jpcert.or.jp> wrote:
> > > To whom it may concern,
> > >
> > > Hello. This is Noriko Takahashi from JPCERT/CC Vulnerability
> > > Handling Team. Please excuse the sudden contact.
> > >
> > > If you're not familiar with us or our activities, please
> > > check the following websites for more information.
> > >
> > > http://www.jpcert.or.jp/english/
> > > http://www.jpcert.or.jp/english/vh/project.html
> > >
> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > > http://jvn.jp/en/
> > >
> > > We have received a report of a vulnerability found in the
> > > product "Dotclear 2.6.2" from a researcher/user here in Japan
> > > under the vulnerability handling framework called "Information
> > > Security Early Warning Partnership" and the official announcement
> > > #235 "Software Vulnerability Related Information Handling
Measures"
> > > which were designed by Ministry of Economy, Trade and Industry
(METI),
> > > a Japanese cabinet.
> > >
> > > From the website
> > > http://dotclear.org/contact
> > > we found this email address. We would like to coordinate with you
> > > to solve the reported vulnerability, and your cooperation would be
> > > greatly appreciated.
> > >
> > > Before we provide you the details of the reported vulnerability,
> > > we would like to know the appropriate point-of-contact person,
> > > or department/group/team to communicate in regards to this issue.
> > > It would be greatly appreciated if you could provide us the below
> > > information at your earliest convenience.
> > > -Name of the person/team who is in charge of such issues
> > > -Email address
> > > -PGP key if available
> > >
> > > Once we receive your reply and and point-of-contact information,
> > > we will then send you the original vulnerability report and the
> > > details either in a PGP encrypted message or in a password protected
> > > zip file.
> > >
> > > If you have any questions or concerns, please do not hesitate
> > > to contact us any time.
> > >
> > > Thank you in advance for your attention to this email.
> > > We would very much appreciate your prompt reply.
> > >
> > > Sincerely yours,
> > >
> > > Noriko Takahashi
> > > Leader of Vulnerability Handling Team
> > > Information Coordination Group
> ======================================================================
> JPCERT Coordination Center (JPCERT/CC)
> TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls(a)jpcert.or.jp
> PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 FC
> https://www.jpcert.or.jp/english http://jvn.jp/en/ http://jvn.jp
>
>
>
> --
> Dotclear Team
>
--
Dotclear Team
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
4:26 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
JPCERT97966327
2014-07-08 16:22 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
faut le mot de passe :)
On 8 July 2014 16:04, Dotclear (contact) <contact(a)dotclear.net> wrote:
> L'archive qui détaille un peu tout :
> https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
>
>
> 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <contact(a)dotclear.net>:
>
> > Jour les gens,
> >
> > On a reçu ce matin un rapport au sujet d'une faille XSS (voir
ci-dessous,
> > le mot de passe de l'archive est JPCERT97966327) mais je n'arrive pas
à
> > reproduire la faille.
> > Quelqu'un peut regarder ça de son côté ?
> >
> > Franck
> >
> > ---------- Forwarded message ----------
> > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> > Date: 2014-07-08 4:36 GMT+02:00
> > Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN:
> > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
> > To: Dotclear Development Team <contact(a)dotclear.net>
> >
> >
> > Hello xave @ the Dotclear Team,
> >
> > We have received a vulnerability report for one of your products:
> >
> > - Dotclear 2.6.3 vulnerable to cross-site scripting
> >
> > I have attached the details of the reported vulnerability to this
email.
> > The password for the zip file will be sent in a separate email.
> > The original report was against version 2.6.2, but the issue was also
> > verified to still exist in 2.6.3. Please see the report for more
details.
> >
> > Please take a look at the report and return to us with the information
> > such as;
> > -validate the products, and whether the reported vulnerability is
> > confirmed or not
> > -solutions (e.g., patch or module update)
> > -workarounds if any
> > -estimated time for creation of fixes
> > -preferable date for public release on your site
> > *we will also publish an advisory for this issue on our vulnerability
> > knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/,
> > synchronizing with your release schedule.
> >
> > **Caution**
> > We have assigned the tracking number for this vulnerability issue;
> > [VN: JVN#61637002 / TN: JPCERT#97966327]
> > Please be sure to include these numbers in the subject line for
> > future communication with us. We appreciate your cooperation on
this.
> >
> > If you have any questions and concerns, please do not hesitate to
> > contact us any time.
> >
> > Thank you in advance for your attention on this matter.
> > We are looking forward to hearing from you.
> >
> > Sincerely yours,
> >
> > Takayuki Uchiyama
> > JPCERT/CC Vulnerability Handling Team
> >
> > > Hello,
> > >
> > > Please be aware that Dotclear 2.6.2 is not the latest version: v2.6.3
> > > was released in May to patch vulnerabilities found in 2.6.2 (listed
at
> > >
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > > )
> > >
> > > If the vulnerabilities you found are not the one listed and still
> > > exist in 2.6.3, please send any information to security(a)dotclear.net
> > > where you'll reach several members of the team (we do not use a GPG
> > > key).
> > >
> > > xave, for the Dotclear Team.
> > >
> > >
> > >
> > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <vuls(a)jpcert.or.jp>
wrote:
> > > > To whom it may concern,
> > > >
> > > > Hello. This is Noriko Takahashi from JPCERT/CC Vulnerability
> > > > Handling Team. Please excuse the sudden contact.
> > > >
> > > > If you're not familiar with us or our activities, please
> > > > check the following websites for more information.
> > > >
> > > > http://www.jpcert.or.jp/english/
> > > > http://www.jpcert.or.jp/english/vh/project.html
> > > >
> > http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > > > http://jvn.jp/en/
> > > >
> > > > We have received a report of a vulnerability found in the
> > > > product "Dotclear 2.6.2" from a researcher/user here in
Japan
> > > > under the vulnerability handling framework called "Information
> > > > Security Early Warning Partnership" and the official
announcement
> > > > #235 "Software Vulnerability Related Information Handling
Measures"
> > > > which were designed by Ministry of Economy, Trade and Industry
> (METI),
> > > > a Japanese cabinet.
> > > >
> > > > From the website
> > > > http://dotclear.org/contact
> > > > we found this email address. We would like to coordinate with you
> > > > to solve the reported vulnerability, and your cooperation would be
> > > > greatly appreciated.
> > > >
> > > > Before we provide you the details of the reported vulnerability,
> > > > we would like to know the appropriate point-of-contact person,
> > > > or department/group/team to communicate in regards to this issue.
> > > > It would be greatly appreciated if you could provide us the below
> > > > information at your earliest convenience.
> > > > -Name of the person/team who is in charge of such issues
> > > > -Email address
> > > > -PGP key if available
> > > >
> > > > Once we receive your reply and and point-of-contact information,
> > > > we will then send you the original vulnerability report and the
> > > > details either in a PGP encrypted message or in a password
protected
> > > > zip file.
> > > >
> > > > If you have any questions or concerns, please do not hesitate
> > > > to contact us any time.
> > > >
> > > > Thank you in advance for your attention to this email.
> > > > We would very much appreciate your prompt reply.
> > > >
> > > > Sincerely yours,
> > > >
> > > > Noriko Takahashi
> > > > Leader of Vulnerability Handling Team
> > > > Information Coordination Group
> > ======================================================================
> > JPCERT Coordination Center (JPCERT/CC)
> > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls(a)jpcert.or.jp
> > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 FC
> > https://www.jpcert.or.jp/english http://jvn.jp/en/ http://jvn.jp
> >
> >
> >
> > --
> > Dotclear Team
> >
>
>
>
> --
> Dotclear Team
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
--
Franck
4:40 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
je reproduis sur mon blog (mais qui a pas la dernière version)
On 8 July 2014 16:26, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
JPCERT97966327
2014-07-08 16:22 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> faut le mot de passe :)
>
>
> On 8 July 2014 16:04, Dotclear (contact) <contact(a)dotclear.net> wrote:
>
> > L'archive qui détaille un peu tout :
> > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> >
> >
> > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <contact(a)dotclear.net>:
> >
> > > Jour les gens,
> > >
> > > On a reçu ce matin un rapport au sujet d'une faille XSS (voir
> ci-dessous,
> > > le mot de passe de l'archive est JPCERT97966327) mais je n'arrive
pas à
> > > reproduire la faille.
> > > Quelqu'un peut regarder ça de son côté ?
> > >
> > > Franck
> > >
> > > ---------- Forwarded message ----------
> > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> > > Date: 2014-07-08 4:36 GMT+02:00
> > > Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN:
> > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
> > > To: Dotclear Development Team <contact(a)dotclear.net>
> > >
> > >
> > > Hello xave @ the Dotclear Team,
> > >
> > > We have received a vulnerability report for one of your products:
> > >
> > > - Dotclear 2.6.3 vulnerable to cross-site scripting
> > >
> > > I have attached the details of the reported vulnerability to this
> email.
> > > The password for the zip file will be sent in a separate email.
> > > The original report was against version 2.6.2, but the issue was also
> > > verified to still exist in 2.6.3. Please see the report for more
> details.
> > >
> > > Please take a look at the report and return to us with the
information
> > > such as;
> > > -validate the products, and whether the reported vulnerability is
> > > confirmed or not
> > > -solutions (e.g., patch or module update)
> > > -workarounds if any
> > > -estimated time for creation of fixes
> > > -preferable date for public release on your site
> > > *we will also publish an advisory for this issue on our
vulnerability
> > > knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/,
> > > synchronizing with your release schedule.
> > >
> > > **Caution**
> > > We have assigned the tracking number for this vulnerability issue;
> > > [VN: JVN#61637002 / TN: JPCERT#97966327]
> > > Please be sure to include these numbers in the subject line for
> > > future communication with us. We appreciate your cooperation on
> this.
> > >
> > > If you have any questions and concerns, please do not hesitate to
> > > contact us any time.
> > >
> > > Thank you in advance for your attention on this matter.
> > > We are looking forward to hearing from you.
> > >
> > > Sincerely yours,
> > >
> > > Takayuki Uchiyama
> > > JPCERT/CC Vulnerability Handling Team
> > >
> > > > Hello,
> > > >
> > > > Please be aware that Dotclear 2.6.2 is not the latest version:
v2.6.3
> > > > was released in May to patch vulnerabilities found in 2.6.2 (listed
> at
> > > >
> > >
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > > > )
> > > >
> > > > If the vulnerabilities you found are not the one listed and still
> > > > exist in 2.6.3, please send any information to
security(a)dotclear.net
> > > > where you'll reach several members of the team (we do not use a
GPG
> > > > key).
> > > >
> > > > xave, for the Dotclear Team.
> > > >
> > > >
> > > >
> > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <vuls(a)jpcert.or.jp>
> wrote:
> > > > > To whom it may concern,
> > > > >
> > > > > Hello. This is Noriko Takahashi from JPCERT/CC Vulnerability
> > > > > Handling Team. Please excuse the sudden contact.
> > > > >
> > > > > If you're not familiar with us or our activities, please
> > > > > check the following websites for more information.
> > > > >
> > > > > http://www.jpcert.or.jp/english/
> > > > > http://www.jpcert.or.jp/english/vh/project.html
> > > > >
> > >
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > > > > http://jvn.jp/en/
> > > > >
> > > > > We have received a report of a vulnerability found in the
> > > > > product "Dotclear 2.6.2" from a researcher/user here
in Japan
> > > > > under the vulnerability handling framework called
"Information
> > > > > Security Early Warning Partnership" and the official
announcement
> > > > > #235 "Software Vulnerability Related Information Handling
Measures"
> > > > > which were designed by Ministry of Economy, Trade and Industry
> > (METI),
> > > > > a Japanese cabinet.
> > > > >
> > > > > From the website
> > > > > http://dotclear.org/contact
> > > > > we found this email address. We would like to coordinate with
you
> > > > > to solve the reported vulnerability, and your cooperation would
be
> > > > > greatly appreciated.
> > > > >
> > > > > Before we provide you the details of the reported
vulnerability,
> > > > > we would like to know the appropriate point-of-contact person,
> > > > > or department/group/team to communicate in regards to this
issue.
> > > > > It would be greatly appreciated if you could provide us the
below
> > > > > information at your earliest convenience.
> > > > > -Name of the person/team who is in charge of such issues
> > > > > -Email address
> > > > > -PGP key if available
> > > > >
> > > > > Once we receive your reply and and point-of-contact
information,
> > > > > we will then send you the original vulnerability report and the
> > > > > details either in a PGP encrypted message or in a password
> protected
> > > > > zip file.
> > > > >
> > > > > If you have any questions or concerns, please do not hesitate
> > > > > to contact us any time.
> > > > >
> > > > > Thank you in advance for your attention to this email.
> > > > > We would very much appreciate your prompt reply.
> > > > >
> > > > > Sincerely yours,
> > > > >
> > > > > Noriko Takahashi
> > > > > Leader of Vulnerability Handling Team
> > > > > Information Coordination Group
> > >
======================================================================
> > > JPCERT Coordination Center (JPCERT/CC)
> > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: vuls(a)jpcert.or.jp
> > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 FC
> > > https://www.jpcert.or.jp/english http://jvn.jp/en/
http://jvn.jp
> > >
> > >
> > >
> > > --
> > > Dotclear Team
> > >
> >
> >
> >
> > --
> > Dotclear Team
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> > http://ml.dotclear.org/listinfo/dev
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Franck
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
4:41 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Je reproduis aussi mais uniquement avec le panda bleu ! :-)
2014-07-08 16:40 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
je reproduis sur mon blog (mais qui a pas la dernière version)
On 8 July 2014 16:26, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
> JPCERT97966327
>
>
> 2014-07-08 16:22 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
>
> > faut le mot de passe :)
> >
> >
> > On 8 July 2014 16:04, Dotclear (contact) <contact(a)dotclear.net> wrote:
> >
> > > L'archive qui détaille un peu tout :
> > > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> > >
> > >
> > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <contact(a)dotclear.net
>:
> > >
> > > > Jour les gens,
> > > >
> > > > On a reçu ce matin un rapport au sujet d'une faille XSS (voir
> > ci-dessous,
> > > > le mot de passe de l'archive est JPCERT97966327) mais je
n'arrive
> pas à
> > > > reproduire la faille.
> > > > Quelqu'un peut regarder ça de son côté ?
> > > >
> > > > Franck
> > > >
> > > > ---------- Forwarded message ----------
> > > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> > > > Date: 2014-07-08 4:36 GMT+02:00
> > > > Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN:
> > > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
> > > > To: Dotclear Development Team <contact(a)dotclear.net>
> > > >
> > > >
> > > > Hello xave @ the Dotclear Team,
> > > >
> > > > We have received a vulnerability report for one of your products:
> > > >
> > > > - Dotclear 2.6.3 vulnerable to cross-site scripting
> > > >
> > > > I have attached the details of the reported vulnerability to this
> > email.
> > > > The password for the zip file will be sent in a separate email.
> > > > The original report was against version 2.6.2, but the issue was
also
> > > > verified to still exist in 2.6.3. Please see the report for more
> > details.
> > > >
> > > > Please take a look at the report and return to us with the
> information
> > > > such as;
> > > > -validate the products, and whether the reported vulnerability is
> > > > confirmed or not
> > > > -solutions (e.g., patch or module update)
> > > > -workarounds if any
> > > > -estimated time for creation of fixes
> > > > -preferable date for public release on your site
> > > > *we will also publish an advisory for this issue on our
> vulnerability
> > > > knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/,
> > > > synchronizing with your release schedule.
> > > >
> > > > **Caution**
> > > > We have assigned the tracking number for this vulnerability
issue;
> > > > [VN: JVN#61637002 / TN: JPCERT#97966327]
> > > > Please be sure to include these numbers in the subject line for
> > > > future communication with us. We appreciate your cooperation on
> > this.
> > > >
> > > > If you have any questions and concerns, please do not hesitate to
> > > > contact us any time.
> > > >
> > > > Thank you in advance for your attention on this matter.
> > > > We are looking forward to hearing from you.
> > > >
> > > > Sincerely yours,
> > > >
> > > > Takayuki Uchiyama
> > > > JPCERT/CC Vulnerability Handling Team
> > > >
> > > > > Hello,
> > > > >
> > > > > Please be aware that Dotclear 2.6.2 is not the latest version:
> v2.6.3
> > > > > was released in May to patch vulnerabilities found in 2.6.2
(listed
> > at
> > > > >
> > > >
> > >
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > > > > )
> > > > >
> > > > > If the vulnerabilities you found are not the one listed and
still
> > > > > exist in 2.6.3, please send any information to
> security(a)dotclear.net
> > > > > where you'll reach several members of the team (we do not
use a
GPG
> > > > > key).
> > > > >
> > > > > xave, for the Dotclear Team.
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC
<vuls(a)jpcert.or.jp>
> > wrote:
> > > > > > To whom it may concern,
> > > > > >
> > > > > > Hello. This is Noriko Takahashi from JPCERT/CC
Vulnerability
> > > > > > Handling Team. Please excuse the sudden contact.
> > > > > >
> > > > > > If you're not familiar with us or our activities,
please
> > > > > > check the following websites for more information.
> > > > > >
> > > > > > http://www.jpcert.or.jp/english/
> > > > > > http://www.jpcert.or.jp/english/vh/project.html
> > > > > >
> > > >
> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > > > > > http://jvn.jp/en/
> > > > > >
> > > > > > We have received a report of a vulnerability found in the
> > > > > > product "Dotclear 2.6.2" from a researcher/user
here in Japan
> > > > > > under the vulnerability handling framework called
"Information
> > > > > > Security Early Warning Partnership" and the official
announcement
> > > > > > #235 "Software Vulnerability Related Information
Handling
> Measures"
> > > > > > which were designed by Ministry of Economy, Trade and
Industry
> > > (METI),
> > > > > > a Japanese cabinet.
> > > > > >
> > > > > > From the website
> > > > > > http://dotclear.org/contact
> > > > > > we found this email address. We would like to coordinate
with
you
> > > > > > to solve the reported vulnerability, and your cooperation
would
> be
> > > > > > greatly appreciated.
> > > > > >
> > > > > > Before we provide you the details of the reported
vulnerability,
> > > > > > we would like to know the appropriate point-of-contact
person,
> > > > > > or department/group/team to communicate in regards to this
issue.
> > > > > > It would be greatly appreciated if you could provide us
the
below
> > > > > > information at your earliest convenience.
> > > > > > -Name of the person/team who is in charge of such issues
> > > > > > -Email address
> > > > > > -PGP key if available
> > > > > >
> > > > > > Once we receive your reply and and point-of-contact
information,
> > > > > > we will then send you the original vulnerability report and
the
> > > > > > details either in a PGP encrypted message or in a password
> > protected
> > > > > > zip file.
> > > > > >
> > > > > > If you have any questions or concerns, please do not
hesitate
> > > > > > to contact us any time.
> > > > > >
> > > > > > Thank you in advance for your attention to this email.
> > > > > > We would very much appreciate your prompt reply.
> > > > > >
> > > > > > Sincerely yours,
> > > > > >
> > > > > > Noriko Takahashi
> > > > > > Leader of Vulnerability Handling Team
> > > > > > Information Coordination Group
> > > >
> ======================================================================
> > > > JPCERT Coordination Center (JPCERT/CC)
> > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL:
vuls(a)jpcert.or.jp
> > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50
FC
> > > > https://www.jpcert.or.jp/english http://jvn.jp/en/
> http://jvn.jp
> > > >
> > > >
> > > >
> > > > --
> > > > Dotclear Team
> > > >
> > >
> > >
> > >
> > > --
> > > Dotclear Team
> > > --
> > > Dev mailing list - Dev(a)list.dotclear.org -
> > > http://ml.dotclear.org/listinfo/dev
> > >
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> > http://ml.dotclear.org/listinfo/dev
> >
>
>
>
> --
> Franck
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
5:06 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et 2.7-dev
--
Philippe
2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
Je reproduis aussi mais uniquement avec le panda bleu ! :-)
2014-07-08 16:40 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> je reproduis sur mon blog (mais qui a pas la dernière version)
>
>
> On 8 July 2014 16:26, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
>
> > JPCERT97966327
> >
> >
> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> >
> > > faut le mot de passe :)
> > >
> > >
> > > On 8 July 2014 16:04, Dotclear (contact) <contact(a)dotclear.net>
wrote:
> > >
> > > > L'archive qui détaille un peu tout :
> > > > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> > > >
> > > >
> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact)
<contact(a)dotclear.net
> >:
> > > >
> > > > > Jour les gens,
> > > > >
> > > > > On a reçu ce matin un rapport au sujet d'une faille XSS
(voir
> > > ci-dessous,
> > > > > le mot de passe de l'archive est JPCERT97966327) mais je
n'arrive
> > pas à
> > > > > reproduire la faille.
> > > > > Quelqu'un peut regarder ça de son côté ?
> > > > >
> > > > > Franck
> > > > >
> > > > > ---------- Forwarded message ----------
> > > > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> > > > > Date: 2014-07-08 4:36 GMT+02:00
> > > > > Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3
VN:
> > > > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
> > > > > To: Dotclear Development Team <contact(a)dotclear.net>
> > > > >
> > > > >
> > > > > Hello xave @ the Dotclear Team,
> > > > >
> > > > > We have received a vulnerability report for one of your
products:
> > > > >
> > > > > - Dotclear 2.6.3 vulnerable to cross-site scripting
> > > > >
> > > > > I have attached the details of the reported vulnerability to
this
> > > email.
> > > > > The password for the zip file will be sent in a separate email.
> > > > > The original report was against version 2.6.2, but the issue was
> also
> > > > > verified to still exist in 2.6.3. Please see the report for more
> > > details.
> > > > >
> > > > > Please take a look at the report and return to us with the
> > information
> > > > > such as;
> > > > > -validate the products, and whether the reported vulnerability
is
> > > > > confirmed or not
> > > > > -solutions (e.g., patch or module update)
> > > > > -workarounds if any
> > > > > -estimated time for creation of fixes
> > > > > -preferable date for public release on your site
> > > > > *we will also publish an advisory for this issue on our
> > vulnerability
> > > > > knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/,
> > > > > synchronizing with your release schedule.
> > > > >
> > > > > **Caution**
> > > > > We have assigned the tracking number for this vulnerability
> issue;
> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327]
> > > > > Please be sure to include these numbers in the subject line
for
> > > > > future communication with us. We appreciate your cooperation
on
> > > this.
> > > > >
> > > > > If you have any questions and concerns, please do not hesitate
to
> > > > > contact us any time.
> > > > >
> > > > > Thank you in advance for your attention on this matter.
> > > > > We are looking forward to hearing from you.
> > > > >
> > > > > Sincerely yours,
> > > > >
> > > > > Takayuki Uchiyama
> > > > > JPCERT/CC Vulnerability Handling Team
> > > > >
> > > > > > Hello,
> > > > > >
> > > > > > Please be aware that Dotclear 2.6.2 is not the latest
version:
> > v2.6.3
> > > > > > was released in May to patch vulnerabilities found in 2.6.2
> (listed
> > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > > > > > )
> > > > > >
> > > > > > If the vulnerabilities you found are not the one listed and
still
> > > > > > exist in 2.6.3, please send any information to
> > security(a)dotclear.net
> > > > > > where you'll reach several members of the team (we do
not use a
> GPG
> > > > > > key).
> > > > > >
> > > > > > xave, for the Dotclear Team.
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC
<vuls(a)jpcert.or.jp>
> > > wrote:
> > > > > > > To whom it may concern,
> > > > > > >
> > > > > > > Hello. This is Noriko Takahashi from JPCERT/CC
Vulnerability
> > > > > > > Handling Team. Please excuse the sudden contact.
> > > > > > >
> > > > > > > If you're not familiar with us or our activities,
please
> > > > > > > check the following websites for more information.
> > > > > > >
> > > > > > > http://www.jpcert.or.jp/english/
> > > > > > > http://www.jpcert.or.jp/english/vh/project.html
> > > > > > >
> > > > >
> > http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > > > > > > http://jvn.jp/en/
> > > > > > >
> > > > > > > We have received a report of a vulnerability found in
the
> > > > > > > product "Dotclear 2.6.2" from a
researcher/user here in Japan
> > > > > > > under the vulnerability handling framework called
"Information
> > > > > > > Security Early Warning Partnership" and the
official
> announcement
> > > > > > > #235 "Software Vulnerability Related Information
Handling
> > Measures"
> > > > > > > which were designed by Ministry of Economy, Trade and
Industry
> > > > (METI),
> > > > > > > a Japanese cabinet.
> > > > > > >
> > > > > > > From the website
> > > > > > > http://dotclear.org/contact
> > > > > > > we found this email address. We would like to
coordinate with
> you
> > > > > > > to solve the reported vulnerability, and your
cooperation would
> > be
> > > > > > > greatly appreciated.
> > > > > > >
> > > > > > > Before we provide you the details of the reported
> vulnerability,
> > > > > > > we would like to know the appropriate point-of-contact
person,
> > > > > > > or department/group/team to communicate in regards to
this
> issue.
> > > > > > > It would be greatly appreciated if you could provide us
the
> below
> > > > > > > information at your earliest convenience.
> > > > > > > -Name of the person/team who is in charge of such
issues
> > > > > > > -Email address
> > > > > > > -PGP key if available
> > > > > > >
> > > > > > > Once we receive your reply and and point-of-contact
> information,
> > > > > > > we will then send you the original vulnerability report
and the
> > > > > > > details either in a PGP encrypted message or in a
password
> > > protected
> > > > > > > zip file.
> > > > > > >
> > > > > > > If you have any questions or concerns, please do not
hesitate
> > > > > > > to contact us any time.
> > > > > > >
> > > > > > > Thank you in advance for your attention to this email.
> > > > > > > We would very much appreciate your prompt reply.
> > > > > > >
> > > > > > > Sincerely yours,
> > > > > > >
> > > > > > > Noriko Takahashi
> > > > > > > Leader of Vulnerability Handling Team
> > > > > > > Information Coordination Group
> > > > >
> > ======================================================================
> > > > > JPCERT Coordination Center (JPCERT/CC)
> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL:
> vuls(a)jpcert.or.jp
> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D
50
> FC
> > > > > https://www.jpcert.or.jp/english http://jvn.jp/en/
> > http://jvn.jp
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Dotclear Team
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Dotclear Team
> > > > --
> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > > > http://ml.dotclear.org/listinfo/dev
> > > >
> > > --
> > > Dev mailing list - Dev(a)list.dotclear.org -
> > > http://ml.dotclear.org/listinfo/dev
> > >
> >
> >
> >
> > --
> > Franck
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> > http://ml.dotclear.org/listinfo/dev
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Dev mailing list - Dev(a)list.dotclear.org - http://ml.dotclear.org/listinfo/dev
5:28 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Apparemment c'est un problème côté firefox, pas Dotclear. les chaînes sont
à priori bien échappées à la recherche et à l'affichage.
2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et
2.7-dev
--
Philippe
2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
> Je reproduis aussi mais uniquement avec le panda bleu ! :-)
>
>
> 2014-07-08 16:40 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
>
>> je reproduis sur mon blog (mais qui a pas la dernière version)
>>
>>
>> On 8 July 2014 16:26, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
>>
>> > JPCERT97966327
>> >
>> >
>> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
>> >
>> > > faut le mot de passe :)
>> > >
>> > >
>> > > On 8 July 2014 16:04, Dotclear (contact) <contact(a)dotclear.net>
wrote:
>> > >
>> > > > L'archive qui détaille un peu tout :
>> > > > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
>> > > >
>> > > >
>> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <
contact(a)dotclear.net
>> >:
>> > > >
>> > > > > Jour les gens,
>> > > > >
>> > > > > On a reçu ce matin un rapport au sujet d'une faille XSS
(voir
>> > > ci-dessous,
>> > > > > le mot de passe de l'archive est JPCERT97966327) mais
je
n'arrive
>> > pas à
>> > > > > reproduire la faille.
>> > > > > Quelqu'un peut regarder ça de son côté ?
>> > > > >
>> > > > > Franck
>> > > > >
>> > > > > ---------- Forwarded message ----------
>> > > > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
>> > > > > Date: 2014-07-08 4:36 GMT+02:00
>> > > > > Subject: Re: Inquiry on vulnerability found in Dotclear
2.6.3
VN:
>> > > > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
>> > > > > To: Dotclear Development Team <contact(a)dotclear.net>
>> > > > >
>> > > > >
>> > > > > Hello xave @ the Dotclear Team,
>> > > > >
>> > > > > We have received a vulnerability report for one of your
products:
>> > > > >
>> > > > > - Dotclear 2.6.3 vulnerable to cross-site scripting
>> > > > >
>> > > > > I have attached the details of the reported vulnerability
to
this
>> > > email.
>> > > > > The password for the zip file will be sent in a separate
email.
>> > > > > The original report was against version 2.6.2, but the issue
was
>> also
>> > > > > verified to still exist in 2.6.3. Please see the report for
more
>> > > details.
>> > > > >
>> > > > > Please take a look at the report and return to us with the
>> > information
>> > > > > such as;
>> > > > > -validate the products, and whether the reported
vulnerability
is
>> > > > > confirmed or not
>> > > > > -solutions (e.g., patch or module update)
>> > > > > -workarounds if any
>> > > > > -estimated time for creation of fixes
>> > > > > -preferable date for public release on your site
>> > > > > *we will also publish an advisory for this issue on our
>> > vulnerability
>> > > > > knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/,
>> > > > > synchronizing with your release schedule.
>> > > > >
>> > > > > **Caution**
>> > > > > We have assigned the tracking number for this
vulnerability
>> issue;
>> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327]
>> > > > > Please be sure to include these numbers in the subject
line
for
>> > > > > future communication with us. We appreciate your
cooperation
on
>> > > this.
>> > > > >
>> > > > > If you have any questions and concerns, please do not
hesitate
to
>> > > > > contact us any time.
>> > > > >
>> > > > > Thank you in advance for your attention on this matter.
>> > > > > We are looking forward to hearing from you.
>> > > > >
>> > > > > Sincerely yours,
>> > > > >
>> > > > > Takayuki Uchiyama
>> > > > > JPCERT/CC Vulnerability Handling Team
>> > > > >
>> > > > > > Hello,
>> > > > > >
>> > > > > > Please be aware that Dotclear 2.6.2 is not the latest
version:
>> > v2.6.3
>> > > > > > was released in May to patch vulnerabilities found in
2.6.2
>> (listed
>> > > at
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
>> > > > > > )
>> > > > > >
>> > > > > > If the vulnerabilities you found are not the one listed
and
still
>> > > > > > exist in 2.6.3, please send any information to
>> > security(a)dotclear.net
>> > > > > > where you'll reach several members of the team (we
do not use
a
>> GPG
>> > > > > > key).
>> > > > > >
>> > > > > > xave, for the Dotclear Team.
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC
<vuls(a)jpcert.or.jp
>
>> > > wrote:
>> > > > > > > To whom it may concern,
>> > > > > > >
>> > > > > > > Hello. This is Noriko Takahashi from JPCERT/CC
Vulnerability
>> > > > > > > Handling Team. Please excuse the sudden contact.
>> > > > > > >
>> > > > > > > If you're not familiar with us or our
activities, please
>> > > > > > > check the following websites for more
information.
>> > > > > > >
>> > > > > > > http://www.jpcert.or.jp/english/
>> > > > > > > http://www.jpcert.or.jp/english/vh/project.html
>> > > > > > >
>> > > > >
>> >
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
>> > > > > > > http://jvn.jp/en/
>> > > > > > >
>> > > > > > > We have received a report of a vulnerability found
in the
>> > > > > > > product "Dotclear 2.6.2" from a
researcher/user here in
Japan
>> > > > > > > under the vulnerability handling framework called
"Information
>> > > > > > > Security Early Warning Partnership" and the
official
>> announcement
>> > > > > > > #235 "Software Vulnerability Related
Information Handling
>> > Measures"
>> > > > > > > which were designed by Ministry of Economy, Trade
and
Industry
>> > > > (METI),
>> > > > > > > a Japanese cabinet.
>> > > > > > >
>> > > > > > > From the website
>> > > > > > > http://dotclear.org/contact
>> > > > > > > we found this email address. We would like to
coordinate
with
>> you
>> > > > > > > to solve the reported vulnerability, and your
cooperation
would
>> > be
>> > > > > > > greatly appreciated.
>> > > > > > >
>> > > > > > > Before we provide you the details of the reported
>> vulnerability,
>> > > > > > > we would like to know the appropriate
point-of-contact
person,
>> > > > > > > or department/group/team to communicate in regards
to this
>> issue.
>> > > > > > > It would be greatly appreciated if you could
provide us the
>> below
>> > > > > > > information at your earliest convenience.
>> > > > > > > -Name of the person/team who is in charge of such
issues
>> > > > > > > -Email address
>> > > > > > > -PGP key if available
>> > > > > > >
>> > > > > > > Once we receive your reply and and
point-of-contact
>> information,
>> > > > > > > we will then send you the original vulnerability
report and
the
>> > > > > > > details either in a PGP encrypted message or in a
password
>> > > protected
>> > > > > > > zip file.
>> > > > > > >
>> > > > > > > If you have any questions or concerns, please do
not
hesitate
>> > > > > > > to contact us any time.
>> > > > > > >
>> > > > > > > Thank you in advance for your attention to this
email.
>> > > > > > > We would very much appreciate your prompt reply.
>> > > > > > >
>> > > > > > > Sincerely yours,
>> > > > > > >
>> > > > > > > Noriko Takahashi
>> > > > > > > Leader of Vulnerability Handling Team
>> > > > > > > Information Coordination Group
>> > > > >
>> > ======================================================================
>> > > > > JPCERT Coordination Center (JPCERT/CC)
>> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL:
>> vuls(a)jpcert.or.jp
>> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8
8D
50
>> FC
>> > > > > https://www.jpcert.or.jp/english http://jvn.jp/en/
>> > http://jvn.jp
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Dotclear Team
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Dotclear Team
>> > > > --
>> > > > Dev mailing list - Dev(a)list.dotclear.org -
>> > > > http://ml.dotclear.org/listinfo/dev
>> > > >
>> > > --
>> > > Dev mailing list - Dev(a)list.dotclear.org -
>> > > http://ml.dotclear.org/listinfo/dev
>> > >
>> >
>> >
>> >
>> > --
>> > Franck
>> > --
>> > Dev mailing list - Dev(a)list.dotclear.org -
>> > http://ml.dotclear.org/listinfo/dev
>> >
>> --
>> Dev mailing list - Dev(a)list.dotclear.org -
>> http://ml.dotclear.org/listinfo/dev
>>
> --
> Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
--
Franck
8:23 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Re,
2014-07-08 17:28 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
Apparemment c'est un problème côté firefox, pas Dotclear. les
chaînes sont
à priori bien échappées à la recherche et à l'affichage.
Et oui Franck, sinon le problème existerait quel que soit le navigateur.
2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
> Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et
2.7-dev
> --
> Philippe
>
>
> 2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
> > Je reproduis aussi mais uniquement avec le panda bleu ! :-)
> >
> >
> > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> >
> >> je reproduis sur mon blog (mais qui a pas la dernière version)
> >>
> >>
> >> On 8 July 2014 16:26, Franck Paul <carnet.franck.paul(a)gmail.com>
wrote:
> >>
> >> > JPCERT97966327
> >> >
> >> >
> >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> >> >
> >> > > faut le mot de passe :)
> >> > >
> >> > >
> >> > > On 8 July 2014 16:04, Dotclear (contact)
<contact(a)dotclear.net>
> wrote:
> >> > >
> >> > > > L'archive qui détaille un peu tout :
> >> > > >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> >> > > >
> >> > > >
> >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <
> contact(a)dotclear.net
> >> >:
> >> > > >
> >> > > > > Jour les gens,
> >> > > > >
> >> > > > > On a reçu ce matin un rapport au sujet d'une faille
XSS (voir
> >> > > ci-dessous,
> >> > > > > le mot de passe de l'archive est JPCERT97966327)
mais je
> n'arrive
> >> > pas à
> >> > > > > reproduire la faille.
> >> > > > > Quelqu'un peut regarder ça de son côté ?
> >> > > > >
> >> > > > > Franck
> >> > > > >
> >> > > > > ---------- Forwarded message ----------
> >> > > > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> >> > > > > Date: 2014-07-08 4:36 GMT+02:00
> >> > > > > Subject: Re: Inquiry on vulnerability found in Dotclear
2.6.3
> VN:
> >> > > > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
> >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
> >> > > > >
> >> > > > >
> >> > > > > Hello xave @ the Dotclear Team,
> >> > > > >
> >> > > > > We have received a vulnerability report for one of
your
> products:
> >> > > > >
> >> > > > > - Dotclear 2.6.3 vulnerable to cross-site scripting
> >> > > > >
> >> > > > > I have attached the details of the reported
vulnerability to
> this
> >> > > email.
> >> > > > > The password for the zip file will be sent in a
separate
email.
> >> > > > > The original report was against version 2.6.2, but the
issue
was
> >> also
> >> > > > > verified to still exist in 2.6.3. Please see the report
for
more
> >> > > details.
> >> > > > >
> >> > > > > Please take a look at the report and return to us with
the
> >> > information
> >> > > > > such as;
> >> > > > > -validate the products, and whether the reported
vulnerability
> is
> >> > > > > confirmed or not
> >> > > > > -solutions (e.g., patch or module update)
> >> > > > > -workarounds if any
> >> > > > > -estimated time for creation of fixes
> >> > > > > -preferable date for public release on your site
> >> > > > > *we will also publish an advisory for this issue on
our
> >> > vulnerability
> >> > > > > knowledge base, JVN, http://jvn.jp,
http://jvn.jp/en/,
> >> > > > > synchronizing with your release schedule.
> >> > > > >
> >> > > > > **Caution**
> >> > > > > We have assigned the tracking number for this
vulnerability
> >> issue;
> >> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327]
> >> > > > > Please be sure to include these numbers in the
subject line
> for
> >> > > > > future communication with us. We appreciate your
cooperation
> on
> >> > > this.
> >> > > > >
> >> > > > > If you have any questions and concerns, please do not
hesitate
> to
> >> > > > > contact us any time.
> >> > > > >
> >> > > > > Thank you in advance for your attention on this
matter.
> >> > > > > We are looking forward to hearing from you.
> >> > > > >
> >> > > > > Sincerely yours,
> >> > > > >
> >> > > > > Takayuki Uchiyama
> >> > > > > JPCERT/CC Vulnerability Handling Team
> >> > > > >
> >> > > > > > Hello,
> >> > > > > >
> >> > > > > > Please be aware that Dotclear 2.6.2 is not the
latest
version:
> >> > v2.6.3
> >> > > > > > was released in May to patch vulnerabilities found
in 2.6.2
> >> (listed
> >> > > at
> >> > > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> >> > > > > > )
> >> > > > > >
> >> > > > > > If the vulnerabilities you found are not the one
listed and
> still
> >> > > > > > exist in 2.6.3, please send any information to
> >> > security(a)dotclear.net
> >> > > > > > where you'll reach several members of the team
(we do not
use
> a
> >> GPG
> >> > > > > > key).
> >> > > > > >
> >> > > > > > xave, for the Dotclear Team.
> >> > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <
vuls(a)jpcert.or.jp
> >
> >> > > wrote:
> >> > > > > > > To whom it may concern,
> >> > > > > > >
> >> > > > > > > Hello. This is Noriko Takahashi from
JPCERT/CC
> Vulnerability
> >> > > > > > > Handling Team. Please excuse the sudden
contact.
> >> > > > > > >
> >> > > > > > > If you're not familiar with us or our
activities, please
> >> > > > > > > check the following websites for more
information.
> >> > > > > > >
> >> > > > > > > http://www.jpcert.or.jp/english/
> >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> >> > > > > > >
> >> > > > >
> >> >
> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> >> > > > > > > http://jvn.jp/en/
> >> > > > > > >
> >> > > > > > > We have received a report of a vulnerability
found in the
> >> > > > > > > product "Dotclear 2.6.2" from a
researcher/user here in
> Japan
> >> > > > > > > under the vulnerability handling framework
called
> "Information
> >> > > > > > > Security Early Warning Partnership" and
the official
> >> announcement
> >> > > > > > > #235 "Software Vulnerability Related
Information Handling
> >> > Measures"
> >> > > > > > > which were designed by Ministry of Economy,
Trade and
> Industry
> >> > > > (METI),
> >> > > > > > > a Japanese cabinet.
> >> > > > > > >
> >> > > > > > > From the website
> >> > > > > > > http://dotclear.org/contact
> >> > > > > > > we found this email address. We would like to
coordinate
> with
> >> you
> >> > > > > > > to solve the reported vulnerability, and your
cooperation
> would
> >> > be
> >> > > > > > > greatly appreciated.
> >> > > > > > >
> >> > > > > > > Before we provide you the details of the
reported
> >> vulnerability,
> >> > > > > > > we would like to know the appropriate
point-of-contact
> person,
> >> > > > > > > or department/group/team to communicate in
regards to this
> >> issue.
> >> > > > > > > It would be greatly appreciated if you could
provide us
the
> >> below
> >> > > > > > > information at your earliest convenience.
> >> > > > > > > -Name of the person/team who is in charge of
such issues
> >> > > > > > > -Email address
> >> > > > > > > -PGP key if available
> >> > > > > > >
> >> > > > > > > Once we receive your reply and and
point-of-contact
> >> information,
> >> > > > > > > we will then send you the original
vulnerability report
and
> the
> >> > > > > > > details either in a PGP encrypted message or
in a password
> >> > > protected
> >> > > > > > > zip file.
> >> > > > > > >
> >> > > > > > > If you have any questions or concerns, please
do not
> hesitate
> >> > > > > > > to contact us any time.
> >> > > > > > >
> >> > > > > > > Thank you in advance for your attention to
this email.
> >> > > > > > > We would very much appreciate your prompt
reply.
> >> > > > > > >
> >> > > > > > > Sincerely yours,
> >> > > > > > >
> >> > > > > > > Noriko Takahashi
> >> > > > > > > Leader of Vulnerability Handling Team
> >> > > > > > > Information Coordination Group
> >> > > > >
> >> >
======================================================================
> >> > > > > JPCERT Coordination Center (JPCERT/CC)
> >> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL:
> >> vuls(a)jpcert.or.jp
> >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52
D4 F8
8D
> 50
> >> FC
> >> > > > > https://www.jpcert.or.jp/english http://jvn.jp/en/
> >> > http://jvn.jp
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > > --
> >> > > > > Dotclear Team
> >> > > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > --
> >> > > > Dotclear Team
> >> > > > --
> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > > http://ml.dotclear.org/listinfo/dev
> >> > > >
> >> > > --
> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > http://ml.dotclear.org/listinfo/dev
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Franck
> >> > --
> >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> > http://ml.dotclear.org/listinfo/dev
> >> >
> >> --
> >> Dev mailing list - Dev(a)list.dotclear.org -
> >> http://ml.dotclear.org/listinfo/dev
> >>
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Franck
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
11:57 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
moi je vois en clair dans le source:
<input type="submit" value="ok" /></p><input
type="hidden"
name="xd_check" value="e583662b0e24493bb6d9e67cdfdc03140104694a"
/><input type="hidden" name="q" value=""><img
src=0
<view-source:https://everlong.org/blog/admin/0>
onerror=alert(document.cookie)>" /><input type="hidden"
name="qtype"
value="p" /></div></form><form
action="/blog/admin/search.php
<view-source:https://everlong.org/blog/admin/search.php>"
method="get"><div class="pager"><ul><li
class="first no-link btn"><img
src="images/pagination/no-first.png
<view-source:https://everlong.org/blog/admin/images/pagination/no-first.pn...
alt="Première page"/></li><li class="prev no-link
btn"><img
src="images/pagination/no-previous.png
<view-source:https://everlong.org/blog/admin/images/pagination/no-previous...
alt="Page précédente"/></li><li
class="active"><strong>Page 1 /
16</strong></li><li class="next btn"><a
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2
<view-source:https://everlong.org/blog/admin/search.php?q=%22%3E%3Cimg+src...
src="images/pagination/next.png
<view-source:https://everlong.org/blog/admin/images/pagination/next.png>...
alt="Page suivante"/></a><span class="hidden">Page
suivante</span></li><li class="last btn"><a
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16
<view-source:https://everlong.org/blog/admin/search.php?q=%22%3E%3Cimg+src...
src="images/pagination/last.png
<view-source:https://everlong.org/blog/admin/images/pagination/last.png>...
alt="Dernière page"/></a><span class="hidden">Dernière
page</span></li><li class="direct-access">Aller à la page :
<input
type="text" size="3" name="page" maxlength="10"
/><input
type="submit" value="ok" class="reset" name="ok"
/><input
type="hidden" name="q" value=""><img src=0
<view-source:https://everlong.org/blog/admin/0>
onerror=alert(document.cookie)>" /><input type="hidden"
name="qtype"
value="p" /></li></ul></div></form><div
id="help"><hr /><div
class="help-content clear"><h3>Aide pour cette page</h3>
(cherche "xd_check")
après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais je vois
quand même bien qu'on échappe pas l'entrée utilisateur alors qu'on le
devrait.
On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
Re,
2014-07-08 17:28 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
> Apparemment c'est un problème côté firefox, pas Dotclear. les chaînes
sont
> à priori bien échappées à la recherche et à l'affichage.
>
> Et oui Franck, sinon le problème existerait quel que soit le navigateur.
>
> 2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
>
> > Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et
> 2.7-dev
> > --
> > Philippe
> >
> >
> > 2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
> > > Je reproduis aussi mais uniquement avec le panda bleu ! :-)
> > >
> > >
> > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> > >
> > >> je reproduis sur mon blog (mais qui a pas la dernière version)
> > >>
> > >>
> > >> On 8 July 2014 16:26, Franck Paul
<carnet.franck.paul(a)gmail.com>
> wrote:
> > >>
> > >> > JPCERT97966327
> > >> >
> > >> >
> > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
> > >> >
> > >> > > faut le mot de passe :)
> > >> > >
> > >> > >
> > >> > > On 8 July 2014 16:04, Dotclear (contact)
<contact(a)dotclear.net>
> > wrote:
> > >> > >
> > >> > > > L'archive qui détaille un peu tout :
> > >> > > >
> https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> > >> > > >
> > >> > > >
> > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <
> > contact(a)dotclear.net
> > >> >:
> > >> > > >
> > >> > > > > Jour les gens,
> > >> > > > >
> > >> > > > > On a reçu ce matin un rapport au sujet d'une
faille XSS
(voir
> > >> > > ci-dessous,
> > >> > > > > le mot de passe de l'archive est
JPCERT97966327) mais je
> > n'arrive
> > >> > pas à
> > >> > > > > reproduire la faille.
> > >> > > > > Quelqu'un peut regarder ça de son côté ?
> > >> > > > >
> > >> > > > > Franck
> > >> > > > >
> > >> > > > > ---------- Forwarded message ----------
> > >> > > > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> > >> > > > > Date: 2014-07-08 4:36 GMT+02:00
> > >> > > > > Subject: Re: Inquiry on vulnerability found in
Dotclear
2.6.3
> > VN:
> > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> > >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
> > >> > > > >
> > >> > > > >
> > >> > > > > Hello xave @ the Dotclear Team,
> > >> > > > >
> > >> > > > > We have received a vulnerability report for one of
your
> > products:
> > >> > > > >
> > >> > > > > - Dotclear 2.6.3 vulnerable to cross-site
scripting
> > >> > > > >
> > >> > > > > I have attached the details of the reported
vulnerability to
> > this
> > >> > > email.
> > >> > > > > The password for the zip file will be sent in a
separate
> email.
> > >> > > > > The original report was against version 2.6.2, but
the issue
> was
> > >> also
> > >> > > > > verified to still exist in 2.6.3. Please see the
report for
> more
> > >> > > details.
> > >> > > > >
> > >> > > > > Please take a look at the report and return to us
with the
> > >> > information
> > >> > > > > such as;
> > >> > > > > -validate the products, and whether the reported
> vulnerability
> > is
> > >> > > > > confirmed or not
> > >> > > > > -solutions (e.g., patch or module update)
> > >> > > > > -workarounds if any
> > >> > > > > -estimated time for creation of fixes
> > >> > > > > -preferable date for public release on your site
> > >> > > > > *we will also publish an advisory for this issue
on our
> > >> > vulnerability
> > >> > > > > knowledge base, JVN, http://jvn.jp,
http://jvn.jp/en/,
> > >> > > > > synchronizing with your release schedule.
> > >> > > > >
> > >> > > > > **Caution**
> > >> > > > > We have assigned the tracking number for this
vulnerability
> > >> issue;
> > >> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327]
> > >> > > > > Please be sure to include these numbers in the
subject
line
> > for
> > >> > > > > future communication with us. We appreciate
your
> cooperation
> > on
> > >> > > this.
> > >> > > > >
> > >> > > > > If you have any questions and concerns, please do
not
hesitate
> > to
> > >> > > > > contact us any time.
> > >> > > > >
> > >> > > > > Thank you in advance for your attention on this
matter.
> > >> > > > > We are looking forward to hearing from you.
> > >> > > > >
> > >> > > > > Sincerely yours,
> > >> > > > >
> > >> > > > > Takayuki Uchiyama
> > >> > > > > JPCERT/CC Vulnerability Handling Team
> > >> > > > >
> > >> > > > > > Hello,
> > >> > > > > >
> > >> > > > > > Please be aware that Dotclear 2.6.2 is not
the latest
> version:
> > >> > v2.6.3
> > >> > > > > > was released in May to patch vulnerabilities
found in
2.6.2
> > >> (listed
> > >> > > at
> > >> > > > > >
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > >> > > > > > )
> > >> > > > > >
> > >> > > > > > If the vulnerabilities you found are not the
one listed
and
> > still
> > >> > > > > > exist in 2.6.3, please send any information
to
> > >> > security(a)dotclear.net
> > >> > > > > > where you'll reach several members of the
team (we do not
> use
> > a
> > >> GPG
> > >> > > > > > key).
> > >> > > > > >
> > >> > > > > > xave, for the Dotclear Team.
> > >> > > > > >
> > >> > > > > >
> > >> > > > > >
> > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC
<
> vuls(a)jpcert.or.jp
> > >
> > >> > > wrote:
> > >> > > > > > > To whom it may concern,
> > >> > > > > > >
> > >> > > > > > > Hello. This is Noriko Takahashi from
JPCERT/CC
> > Vulnerability
> > >> > > > > > > Handling Team. Please excuse the sudden
contact.
> > >> > > > > > >
> > >> > > > > > > If you're not familiar with us or
our activities, please
> > >> > > > > > > check the following websites for more
information.
> > >> > > > > > >
> > >> > > > > > > http://www.jpcert.or.jp/english/
> > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> > >> > > > > > >
> > >> > > > >
> > >> >
> > http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > >> > > > > > > http://jvn.jp/en/
> > >> > > > > > >
> > >> > > > > > > We have received a report of a
vulnerability found in
the
> > >> > > > > > > product "Dotclear 2.6.2" from
a researcher/user here in
> > Japan
> > >> > > > > > > under the vulnerability handling
framework called
> > "Information
> > >> > > > > > > Security Early Warning Partnership"
and the official
> > >> announcement
> > >> > > > > > > #235 "Software Vulnerability
Related Information
Handling
> > >> > Measures"
> > >> > > > > > > which were designed by Ministry of
Economy, Trade and
> > Industry
> > >> > > > (METI),
> > >> > > > > > > a Japanese cabinet.
> > >> > > > > > >
> > >> > > > > > > From the website
> > >> > > > > > > http://dotclear.org/contact
> > >> > > > > > > we found this email address. We would
like to coordinate
> > with
> > >> you
> > >> > > > > > > to solve the reported vulnerability, and
your
cooperation
> > would
> > >> > be
> > >> > > > > > > greatly appreciated.
> > >> > > > > > >
> > >> > > > > > > Before we provide you the details of the
reported
> > >> vulnerability,
> > >> > > > > > > we would like to know the appropriate
point-of-contact
> > person,
> > >> > > > > > > or department/group/team to communicate
in regards to
this
> > >> issue.
> > >> > > > > > > It would be greatly appreciated if you
could provide us
> the
> > >> below
> > >> > > > > > > information at your earliest
convenience.
> > >> > > > > > > -Name of the person/team who is in
charge of such
issues
> > >> > > > > > > -Email address
> > >> > > > > > > -PGP key if available
> > >> > > > > > >
> > >> > > > > > > Once we receive your reply and and
point-of-contact
> > >> information,
> > >> > > > > > > we will then send you the original
vulnerability report
> and
> > the
> > >> > > > > > > details either in a PGP encrypted
message or in a
password
> > >> > > protected
> > >> > > > > > > zip file.
> > >> > > > > > >
> > >> > > > > > > If you have any questions or concerns,
please do not
> > hesitate
> > >> > > > > > > to contact us any time.
> > >> > > > > > >
> > >> > > > > > > Thank you in advance for your attention
to this email.
> > >> > > > > > > We would very much appreciate your
prompt reply.
> > >> > > > > > >
> > >> > > > > > > Sincerely yours,
> > >> > > > > > >
> > >> > > > > > > Noriko Takahashi
> > >> > > > > > > Leader of Vulnerability Handling Team
> > >> > > > > > > Information Coordination Group
> > >> > > > >
> > >> >
> ======================================================================
> > >> > > > > JPCERT Coordination Center (JPCERT/CC)
> > >> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
EMAIL:
> > >> vuls(a)jpcert.or.jp
> > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63
89 52 D4 F8
> 8D
> > 50
> > >> FC
> > >> > > > > https://www.jpcert.or.jp/english
http://jvn.jp/en/
> > >> > http://jvn.jp
> > >> > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > > --
> > >> > > > > Dotclear Team
> > >> > > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > --
> > >> > > > Dotclear Team
> > >> > > > --
> > >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > >> > > > http://ml.dotclear.org/listinfo/dev
> > >> > > >
> > >> > > --
> > >> > > Dev mailing list - Dev(a)list.dotclear.org -
> > >> > > http://ml.dotclear.org/listinfo/dev
> > >> > >
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> > Franck
> > >> > --
> > >> > Dev mailing list - Dev(a)list.dotclear.org -
> > >> > http://ml.dotclear.org/listinfo/dev
> > >> >
> > >> --
> > >> Dev mailing list - Dev(a)list.dotclear.org -
> > >> http://ml.dotclear.org/listinfo/dev
> > >>
> > > --
> > > Dev mailing list - Dev(a)list.dotclear.org -
> > http://ml.dotclear.org/listinfo/dev
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> > http://ml.dotclear.org/listinfo/dev
> >
>
>
>
> --
> Franck
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
11:58 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
moi je vois en clair dans le source:
<input type="submit" value="ok" /></p><input
type="hidden" name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a" /><input
type="hidden" name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input type="hidden"
name="qtype" value="p" /></div></form><form
action="/blog/admin/search.php" method="get"><div
class="pager"><ul><li class="first no-link btn"><img
src="images/pagination/no-first.png" alt="Première
page"/></li><li class="prev no-link btn"><img
src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li class="active"><strong>Page 1 /
16</strong></li><li class="next btn"><a
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
src="images/pagination/next.png" alt="Page
suivante"/></a><span class="hidden">Page
suivante</span></li><li class="last btn"><a
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
src="images/pagination/last.png" alt="Dernière
page"/></a><span class="hidden">Dernière
page</span></li><li class="direct-access">Aller à la page :
<input type="text" size="3" name="page"
maxlength="10" /><input type="submit" value="ok"
class="reset" name="ok" /><input type="hidden"
name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input type="hidden"
name="qtype" value="p"
/></li></ul></div></form><div id="help"><hr
/><div class="help-content clear"><h3>Aide pour cette
page</h3>
(cherche "xd_check")
après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais je vois
quand même bien qu'on échappe pas l'entrée utilisateur alors qu'on le
devrait.
On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> Re,
>
>
> 2014-07-08 17:28 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
>
> > Apparemment c'est un problème côté firefox, pas Dotclear. les chaînes
> sont
> > à priori bien échappées à la recherche et à l'affichage.
> >
> > Et oui Franck, sinon le problème existerait quel que soit le navigateur.
>
>
>
> >
> > 2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
> >
> > > Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et
> > 2.7-dev
> > > --
> > > Philippe
> > >
> > >
> > > 2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
> > > > Je reproduis aussi mais uniquement avec le panda bleu ! :-)
> > > >
> > > >
> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> > > >
> > > >> je reproduis sur mon blog (mais qui a pas la dernière version)
> > > >>
> > > >>
> > > >> On 8 July 2014 16:26, Franck Paul
<carnet.franck.paul(a)gmail.com>
> > wrote:
> > > >>
> > > >> > JPCERT97966327
> > > >> >
> > > >> >
> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
> > > >> >
> > > >> > > faut le mot de passe :)
> > > >> > >
> > > >> > >
> > > >> > > On 8 July 2014 16:04, Dotclear (contact)
<contact(a)dotclear.net
> >
> > > wrote:
> > > >> > >
> > > >> > > > L'archive qui détaille un peu tout :
> > > >> > > >
> > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> > > >> > > >
> > > >> > > >
> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <
> > > contact(a)dotclear.net
> > > >> >:
> > > >> > > >
> > > >> > > > > Jour les gens,
> > > >> > > > >
> > > >> > > > > On a reçu ce matin un rapport au sujet
d'une faille XSS
> (voir
> > > >> > > ci-dessous,
> > > >> > > > > le mot de passe de l'archive est
JPCERT97966327) mais je
> > > n'arrive
> > > >> > pas à
> > > >> > > > > reproduire la faille.
> > > >> > > > > Quelqu'un peut regarder ça de son côté ?
> > > >> > > > >
> > > >> > > > > Franck
> > > >> > > > >
> > > >> > > > > ---------- Forwarded message ----------
> > > >> > > > > From: JPCERT/CC <vuls(a)jpcert.or.jp>
> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00
> > > >> > > > > Subject: Re: Inquiry on vulnerability found in
Dotclear
> 2.6.3
> > > VN:
> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> > > >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > Hello xave @ the Dotclear Team,
> > > >> > > > >
> > > >> > > > > We have received a vulnerability report for
one of your
> > > products:
> > > >> > > > >
> > > >> > > > > - Dotclear 2.6.3 vulnerable to cross-site
scripting
> > > >> > > > >
> > > >> > > > > I have attached the details of the reported
vulnerability
> to
> > > this
> > > >> > > email.
> > > >> > > > > The password for the zip file will be sent in
a separate
> > email.
> > > >> > > > > The original report was against version 2.6.2,
but the
> issue
> > was
> > > >> also
> > > >> > > > > verified to still exist in 2.6.3. Please see
the report for
> > more
> > > >> > > details.
> > > >> > > > >
> > > >> > > > > Please take a look at the report and return to
us with the
> > > >> > information
> > > >> > > > > such as;
> > > >> > > > > -validate the products, and whether the
reported
> > vulnerability
> > > is
> > > >> > > > > confirmed or not
> > > >> > > > > -solutions (e.g., patch or module update)
> > > >> > > > > -workarounds if any
> > > >> > > > > -estimated time for creation of fixes
> > > >> > > > > -preferable date for public release on your
site
> > > >> > > > > *we will also publish an advisory for this
issue on our
> > > >> > vulnerability
> > > >> > > > > knowledge base, JVN, http://jvn.jp,
http://jvn.jp/en/,
> > > >> > > > > synchronizing with your release schedule.
> > > >> > > > >
> > > >> > > > > **Caution**
> > > >> > > > > We have assigned the tracking number for
this
> vulnerability
> > > >> issue;
> > > >> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327]
> > > >> > > > > Please be sure to include these numbers in
the subject
> line
> > > for
> > > >> > > > > future communication with us. We appreciate
your
> > cooperation
> > > on
> > > >> > > this.
> > > >> > > > >
> > > >> > > > > If you have any questions and concerns, please
do not
> hesitate
> > > to
> > > >> > > > > contact us any time.
> > > >> > > > >
> > > >> > > > > Thank you in advance for your attention on
this matter.
> > > >> > > > > We are looking forward to hearing from you.
> > > >> > > > >
> > > >> > > > > Sincerely yours,
> > > >> > > > >
> > > >> > > > > Takayuki Uchiyama
> > > >> > > > > JPCERT/CC Vulnerability Handling Team
> > > >> > > > >
> > > >> > > > > > Hello,
> > > >> > > > > >
> > > >> > > > > > Please be aware that Dotclear 2.6.2 is
not the latest
> > version:
> > > >> > v2.6.3
> > > >> > > > > > was released in May to patch
vulnerabilities found in
> 2.6.2
> > > >> (listed
> > > >> > > at
> > > >> > > > > >
> > > >> > > > >
> > > >> > > >
> > > >> > >
> > > >> >
> > > >>
> > >
> >
> http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > > >> > > > > > )
> > > >> > > > > >
> > > >> > > > > > If the vulnerabilities you found are not
the one listed
> and
> > > still
> > > >> > > > > > exist in 2.6.3, please send any
information to
> > > >> > security(a)dotclear.net
> > > >> > > > > > where you'll reach several members of
the team (we do not
> > use
> > > a
> > > >> GPG
> > > >> > > > > > key).
> > > >> > > > > >
> > > >> > > > > > xave, for the Dotclear Team.
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM,
JPCERT/CC <
> > vuls(a)jpcert.or.jp
> > > >
> > > >> > > wrote:
> > > >> > > > > > > To whom it may concern,
> > > >> > > > > > >
> > > >> > > > > > > Hello. This is Noriko Takahashi
from JPCERT/CC
> > > Vulnerability
> > > >> > > > > > > Handling Team. Please excuse the
sudden contact.
> > > >> > > > > > >
> > > >> > > > > > > If you're not familiar with us
or our activities,
> please
> > > >> > > > > > > check the following websites for
more information.
> > > >> > > > > > >
> > > >> > > > > > > http://www.jpcert.or.jp/english/
> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> > > >> > > > > > >
> > > >> > > > >
> > > >> >
> > >
> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > > >> > > > > > > http://jvn.jp/en/
> > > >> > > > > > >
> > > >> > > > > > > We have received a report of a
vulnerability found in
> the
> > > >> > > > > > > product "Dotclear 2.6.2"
from a researcher/user here in
> > > Japan
> > > >> > > > > > > under the vulnerability handling
framework called
> > > "Information
> > > >> > > > > > > Security Early Warning
Partnership" and the official
> > > >> announcement
> > > >> > > > > > > #235 "Software Vulnerability
Related Information
> Handling
> > > >> > Measures"
> > > >> > > > > > > which were designed by Ministry of
Economy, Trade and
> > > Industry
> > > >> > > > (METI),
> > > >> > > > > > > a Japanese cabinet.
> > > >> > > > > > >
> > > >> > > > > > > From the website
> > > >> > > > > > > http://dotclear.org/contact
> > > >> > > > > > > we found this email address. We
would like to
> coordinate
> > > with
> > > >> you
> > > >> > > > > > > to solve the reported vulnerability,
and your
> cooperation
> > > would
> > > >> > be
> > > >> > > > > > > greatly appreciated.
> > > >> > > > > > >
> > > >> > > > > > > Before we provide you the details of
the reported
> > > >> vulnerability,
> > > >> > > > > > > we would like to know the
appropriate point-of-contact
> > > person,
> > > >> > > > > > > or department/group/team to
communicate in regards to
> this
> > > >> issue.
> > > >> > > > > > > It would be greatly appreciated if
you could provide us
> > the
> > > >> below
> > > >> > > > > > > information at your earliest
convenience.
> > > >> > > > > > > -Name of the person/team who is in
charge of such
> issues
> > > >> > > > > > > -Email address
> > > >> > > > > > > -PGP key if available
> > > >> > > > > > >
> > > >> > > > > > > Once we receive your reply and and
point-of-contact
> > > >> information,
> > > >> > > > > > > we will then send you the original
vulnerability report
> > and
> > > the
> > > >> > > > > > > details either in a PGP encrypted
message or in a
> password
> > > >> > > protected
> > > >> > > > > > > zip file.
> > > >> > > > > > >
> > > >> > > > > > > If you have any questions or
concerns, please do not
> > > hesitate
> > > >> > > > > > > to contact us any time.
> > > >> > > > > > >
> > > >> > > > > > > Thank you in advance for your
attention to this email.
> > > >> > > > > > > We would very much appreciate your
prompt reply.
> > > >> > > > > > >
> > > >> > > > > > > Sincerely yours,
> > > >> > > > > > >
> > > >> > > > > > > Noriko Takahashi
> > > >> > > > > > > Leader of Vulnerability Handling
Team
> > > >> > > > > > > Information Coordination Group
> > > >> > > > >
> > > >> >
> > ======================================================================
> > > >> > > > > JPCERT Coordination Center (JPCERT/CC)
> > > >> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
EMAIL:
> > > >> vuls(a)jpcert.or.jp
> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29
63 89 52 D4
> F8
> > 8D
> > > 50
> > > >> FC
> > > >> > > > > https://www.jpcert.or.jp/english
http://jvn.jp/en/
> > > >> > http://jvn.jp
> > > >> > > > >
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > --
> > > >> > > > > Dotclear Team
> > > >> > > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > --
> > > >> > > > Dotclear Team
> > > >> > > > --
> > > >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > > >> > > > http://ml.dotclear.org/listinfo/dev
> > > >> > > >
> > > >> > > --
> > > >> > > Dev mailing list - Dev(a)list.dotclear.org -
> > > >> > > http://ml.dotclear.org/listinfo/dev
> > > >> > >
> > > >> >
> > > >> >
> > > >> >
> > > >> > --
> > > >> > Franck
> > > >> > --
> > > >> > Dev mailing list - Dev(a)list.dotclear.org -
> > > >> > http://ml.dotclear.org/listinfo/dev
> > > >> >
> > > >> --
> > > >> Dev mailing list - Dev(a)list.dotclear.org -
> > > >> http://ml.dotclear.org/listinfo/dev
> > > >>
> > > > --
> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > > http://ml.dotclear.org/listinfo/dev
> > > --
> > > Dev mailing list - Dev(a)list.dotclear.org -
> > > http://ml.dotclear.org/listinfo/dev
> > >
> >
> >
> >
> > --
> > Franck
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> > http://ml.dotclear.org/listinfo/dev
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
8:11 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Where is your patch Julien ? :-D
2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
> moi je vois en clair dans le source:
>
> <input type="submit" value="ok" /></p><input
type="hidden"
name="xd_check" value="e583662b0e24493bb6d9e67cdfdc03140104694a"
/><input
type="hidden" name="q" value=""><img src=0
onerror=alert(document.cookie)>"
/><input type="hidden" name="qtype" value="p"
/></div></form><form
action="/blog/admin/search.php" method="get"><div
class="pager"><ul><li
class="first no-link btn"><img
src="images/pagination/no-first.png"
alt="Première page"/></li><li class="prev no-link
btn"><img
src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li
class="active"><strong>Page 1 / 16</strong></li><li
class="next btn"><a
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
src="images/pagination/next.png" alt="Page
suivante"/></a><span
class="hidden">Page suivante</span></li><li class="last
btn"><a
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
src="images/pagination/last.png" alt="Dernière
page"/></a><span
class="hidden">Dernière page</span></li><li
class="direct-access">Aller à
la page : <input type="text" size="3" name="page"
maxlength="10" /><input
type="submit" value="ok" class="reset" name="ok"
/><input type="hidden"
name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input
type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
page</h3>
>
>
> (cherche "xd_check")
>
> après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais je
vois
> quand même bien qu'on échappe pas l'entrée utilisateur alors qu'on le
> devrait.
>
>
> On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
>
>> Re,
>>
>>
>> 2014-07-08 17:28 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
>>
>> > Apparemment c'est un problème côté firefox, pas Dotclear. les chaînes
>> sont
>> > à priori bien échappées à la recherche et à l'affichage.
>> >
>> > Et oui Franck, sinon le problème existerait quel que soit le
navigateur.
>>
>>
>>
>> >
>> > 2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
>> >
>> > > Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et
>> > 2.7-dev
>> > > --
>> > > Philippe
>> > >
>> > >
>> > > 2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
>> > > > Je reproduis aussi mais uniquement avec le panda bleu ! :-)
>> > > >
>> > > >
>> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
>> > > >
>> > > >> je reproduis sur mon blog (mais qui a pas la dernière
version)
>> > > >>
>> > > >>
>> > > >> On 8 July 2014 16:26, Franck Paul
<carnet.franck.paul(a)gmail.com>
>> > wrote:
>> > > >>
>> > > >> > JPCERT97966327
>> > > >> >
>> > > >> >
>> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
>> > > >> >
>> > > >> > > faut le mot de passe :)
>> > > >> > >
>> > > >> > >
>> > > >> > > On 8 July 2014 16:04, Dotclear (contact) <
contact(a)dotclear.net
>> >
>> > > wrote:
>> > > >> > >
>> > > >> > > > L'archive qui détaille un peu tout :
>> > > >> > > >
>> > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
>> > > >> > > >
>> > > >> > > >
>> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact)
<
>> > > contact(a)dotclear.net
>> > > >> >:
>> > > >> > > >
>> > > >> > > > > Jour les gens,
>> > > >> > > > >
>> > > >> > > > > On a reçu ce matin un rapport au sujet
d'une faille XSS
>> (voir
>> > > >> > > ci-dessous,
>> > > >> > > > > le mot de passe de l'archive est
JPCERT97966327) mais je
>> > > n'arrive
>> > > >> > pas à
>> > > >> > > > > reproduire la faille.
>> > > >> > > > > Quelqu'un peut regarder ça de son
côté ?
>> > > >> > > > >
>> > > >> > > > > Franck
>> > > >> > > > >
>> > > >> > > > > ---------- Forwarded message ----------
>> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
>> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00
>> > > >> > > > > Subject: Re: Inquiry on vulnerability
found in Dotclear
>> 2.6.3
>> > > VN:
>> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
>> > > >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
>> > > >> > > > >
>> > > >> > > > >
>> > > >> > > > > Hello xave @ the Dotclear Team,
>> > > >> > > > >
>> > > >> > > > > We have received a vulnerability report
for one of your
>> > > products:
>> > > >> > > > >
>> > > >> > > > > - Dotclear 2.6.3 vulnerable to
cross-site scripting
>> > > >> > > > >
>> > > >> > > > > I have attached the details of the
reported vulnerability
>> to
>> > > this
>> > > >> > > email.
>> > > >> > > > > The password for the zip file will be
sent in a separate
>> > email.
>> > > >> > > > > The original report was against version
2.6.2, but the
>> issue
>> > was
>> > > >> also
>> > > >> > > > > verified to still exist in 2.6.3. Please
see the report
for
>> > more
>> > > >> > > details.
>> > > >> > > > >
>> > > >> > > > > Please take a look at the report and
return to us with
the
>> > > >> > information
>> > > >> > > > > such as;
>> > > >> > > > > -validate the products, and whether the
reported
>> > vulnerability
>> > > is
>> > > >> > > > > confirmed or not
>> > > >> > > > > -solutions (e.g., patch or module
update)
>> > > >> > > > > -workarounds if any
>> > > >> > > > > -estimated time for creation of fixes
>> > > >> > > > > -preferable date for public release on
your site
>> > > >> > > > > *we will also publish an advisory for
this issue on our
>> > > >> > vulnerability
>> > > >> > > > > knowledge base, JVN, http://jvn.jp,
http://jvn.jp/en/
,
>> > > >> > > > > synchronizing with your release
schedule.
>> > > >> > > > >
>> > > >> > > > > **Caution**
>> > > >> > > > > We have assigned the tracking number
for this
>> vulnerability
>> > > >> issue;
>> > > >> > > > > [VN: JVN#61637002 / TN:
JPCERT#97966327]
>> > > >> > > > > Please be sure to include these numbers
in the subject
>> line
>> > > for
>> > > >> > > > > future communication with us. We
appreciate your
>> > cooperation
>> > > on
>> > > >> > > this.
>> > > >> > > > >
>> > > >> > > > > If you have any questions and concerns,
please do not
>> hesitate
>> > > to
>> > > >> > > > > contact us any time.
>> > > >> > > > >
>> > > >> > > > > Thank you in advance for your attention
on this matter.
>> > > >> > > > > We are looking forward to hearing from
you.
>> > > >> > > > >
>> > > >> > > > > Sincerely yours,
>> > > >> > > > >
>> > > >> > > > > Takayuki Uchiyama
>> > > >> > > > > JPCERT/CC Vulnerability Handling Team
>> > > >> > > > >
>> > > >> > > > > > Hello,
>> > > >> > > > > >
>> > > >> > > > > > Please be aware that Dotclear 2.6.2
is not the latest
>> > version:
>> > > >> > v2.6.3
>> > > >> > > > > > was released in May to patch
vulnerabilities found in
>> 2.6.2
>> > > >> (listed
>> > > >> > > at
>> > > >> > > > > >
>> > > >> > > > >
>> > > >> > > >
>> > > >> > >
>> > > >> >
>> > > >>
>> > >
>> >
>>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
>> > > >> > > > > > )
>> > > >> > > > > >
>> > > >> > > > > > If the vulnerabilities you found are
not the one listed
>> and
>> > > still
>> > > >> > > > > > exist in 2.6.3, please send any
information to
>> > > >> > security(a)dotclear.net
>> > > >> > > > > > where you'll reach several
members of the team (we do
not
>> > use
>> > > a
>> > > >> GPG
>> > > >> > > > > > key).
>> > > >> > > > > >
>> > > >> > > > > > xave, for the Dotclear Team.
>> > > >> > > > > >
>> > > >> > > > > >
>> > > >> > > > > >
>> > > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM,
JPCERT/CC <
>> > vuls(a)jpcert.or.jp
>> > > >
>> > > >> > > wrote:
>> > > >> > > > > > > To whom it may concern,
>> > > >> > > > > > >
>> > > >> > > > > > > Hello. This is Noriko
Takahashi from JPCERT/CC
>> > > Vulnerability
>> > > >> > > > > > > Handling Team. Please excuse
the sudden contact.
>> > > >> > > > > > >
>> > > >> > > > > > > If you're not familiar with
us or our activities,
>> please
>> > > >> > > > > > > check the following websites
for more information.
>> > > >> > > > > > >
>> > > >> > > > > > >
http://www.jpcert.or.jp/english/
>> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
>> > > >> > > > > > >
>> > > >> > > > >
>> > > >> >
>> > >
>> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
>> > > >> > > > > > > http://jvn.jp/en/
>> > > >> > > > > > >
>> > > >> > > > > > > We have received a report of a
vulnerability found in
>> the
>> > > >> > > > > > > product "Dotclear
2.6.2" from a researcher/user here
in
>> > > Japan
>> > > >> > > > > > > under the vulnerability
handling framework called
>> > > "Information
>> > > >> > > > > > > Security Early Warning
Partnership" and the official
>> > > >> announcement
>> > > >> > > > > > > #235 "Software
Vulnerability Related Information
>> Handling
>> > > >> > Measures"
>> > > >> > > > > > > which were designed by Ministry
of Economy, Trade and
>> > > Industry
>> > > >> > > > (METI),
>> > > >> > > > > > > a Japanese cabinet.
>> > > >> > > > > > >
>> > > >> > > > > > > From the website
>> > > >> > > > > > > http://dotclear.org/contact
>> > > >> > > > > > > we found this email address. We
would like to
>> coordinate
>> > > with
>> > > >> you
>> > > >> > > > > > > to solve the reported
vulnerability, and your
>> cooperation
>> > > would
>> > > >> > be
>> > > >> > > > > > > greatly appreciated.
>> > > >> > > > > > >
>> > > >> > > > > > > Before we provide you the
details of the reported
>> > > >> vulnerability,
>> > > >> > > > > > > we would like to know the
appropriate
point-of-contact
>> > > person,
>> > > >> > > > > > > or department/group/team to
communicate in regards to
>> this
>> > > >> issue.
>> > > >> > > > > > > It would be greatly appreciated
if you could provide
us
>> > the
>> > > >> below
>> > > >> > > > > > > information at your earliest
convenience.
>> > > >> > > > > > > -Name of the person/team who
is in charge of such
>> issues
>> > > >> > > > > > > -Email address
>> > > >> > > > > > > -PGP key if available
>> > > >> > > > > > >
>> > > >> > > > > > > Once we receive your reply and
and point-of-contact
>> > > >> information,
>> > > >> > > > > > > we will then send you the
original vulnerability
report
>> > and
>> > > the
>> > > >> > > > > > > details either in a PGP
encrypted message or in a
>> password
>> > > >> > > protected
>> > > >> > > > > > > zip file.
>> > > >> > > > > > >
>> > > >> > > > > > > If you have any questions or
concerns, please do not
>> > > hesitate
>> > > >> > > > > > > to contact us any time.
>> > > >> > > > > > >
>> > > >> > > > > > > Thank you in advance for your
attention to this
email.
>> > > >> > > > > > > We would very much appreciate
your prompt reply.
>> > > >> > > > > > >
>> > > >> > > > > > > Sincerely yours,
>> > > >> > > > > > >
>> > > >> > > > > > > Noriko Takahashi
>> > > >> > > > > > > Leader of Vulnerability
Handling Team
>> > > >> > > > > > > Information Coordination Group
>> > > >> > > > >
>> > > >> >
>> > ======================================================================
>> > > >> > > > > JPCERT Coordination Center (JPCERT/CC)
>> > > >> > > > > TEL: +81-3-3518-4600 FAX:
+81-3-3518-4602 EMAIL:
>> > > >> vuls(a)jpcert.or.jp
>> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19
29 63 89 52 D4
>> F8
>> > 8D
>> > > 50
>> > > >> FC
>> > > >> > > > > https://www.jpcert.or.jp/english
http://jvn.jp/en/
>> > > >> > http://jvn.jp
>> > > >> > > > >
>> > > >> > > > >
>> > > >> > > > >
>> > > >> > > > > --
>> > > >> > > > > Dotclear Team
>> > > >> > > > >
>> > > >> > > >
>> > > >> > > >
>> > > >> > > >
>> > > >> > > > --
>> > > >> > > > Dotclear Team
>> > > >> > > > --
>> > > >> > > > Dev mailing list - Dev(a)list.dotclear.org -
>> > > >> > > > http://ml.dotclear.org/listinfo/dev
>> > > >> > > >
>> > > >> > > --
>> > > >> > > Dev mailing list - Dev(a)list.dotclear.org -
>> > > >> > > http://ml.dotclear.org/listinfo/dev
>> > > >> > >
>> > > >> >
>> > > >> >
>> > > >> >
>> > > >> > --
>> > > >> > Franck
>> > > >> > --
>> > > >> > Dev mailing list - Dev(a)list.dotclear.org -
>> > > >> > http://ml.dotclear.org/listinfo/dev
>> > > >> >
>> > > >> --
>> > > >> Dev mailing list - Dev(a)list.dotclear.org -
>> > > >> http://ml.dotclear.org/listinfo/dev
>> > > >>
>> > > > --
>> > > > Dev mailing list - Dev(a)list.dotclear.org -
>> > > http://ml.dotclear.org/listinfo/dev
>> > > --
>> > > Dev mailing list - Dev(a)list.dotclear.org -
>> > > http://ml.dotclear.org/listinfo/dev
>> > >
>> >
>> >
>> >
>> > --
>> > Franck
>> > --
>> > Dev mailing list - Dev(a)list.dotclear.org -
>> > http://ml.dotclear.org/listinfo/dev
>> >
>> --
>> Dev mailing list - Dev(a)list.dotclear.org -
>> http://ml.dotclear.org/listinfo/dev
>>
>
>
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
--
Franck
10:36 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez
vérifier demain avec la nightly ? (branche 2.6)
2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
Where is your patch Julien ? :-D
2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
>
>
> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
>
> > moi je vois en clair dans le source:
> >
> > <input type="submit" value="ok" /></p><input
type="hidden"
> name="xd_check" value="e583662b0e24493bb6d9e67cdfdc03140104694a"
/><input
> type="hidden" name="q" value=""><img src=0
onerror=alert(document.cookie)>"
> /><input type="hidden" name="qtype" value="p"
/></div></form><form
> action="/blog/admin/search.php" method="get"><div
class="pager"><ul><li
> class="first no-link btn"><img
src="images/pagination/no-first.png"
> alt="Première page"/></li><li class="prev no-link
btn"><img
> src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li
> class="active"><strong>Page 1 / 16</strong></li><li
class="next btn"><a
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
> src="images/pagination/next.png" alt="Page
suivante"/></a><span
> class="hidden">Page suivante</span></li><li
class="last btn"><a
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
> src="images/pagination/last.png" alt="Dernière
page"/></a><span
> class="hidden">Dernière page</span></li><li
class="direct-access">Aller à
> la page : <input type="text" size="3" name="page"
maxlength="10" /><input
> type="submit" value="ok" class="reset"
name="ok" /><input type="hidden"
> name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input
> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
> page</h3>
> >
> >
> > (cherche "xd_check")
> >
> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais je
> vois
> > quand même bien qu'on échappe pas l'entrée utilisateur alors qu'on
le
> > devrait.
> >
> >
> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> >
> >> Re,
> >>
> >>
> >> 2014-07-08 17:28 GMT+02:00 Franck Paul
<carnet.franck.paul(a)gmail.com>:
> >>
> >> > Apparemment c'est un problème côté firefox, pas Dotclear. les
chaînes
> >> sont
> >> > à priori bien échappées à la recherche et à l'affichage.
> >> >
> >> > Et oui Franck, sinon le problème existerait quel que soit le
> navigateur.
> >>
> >>
> >>
> >> >
> >> > 2014-07-08 17:06 GMT+02:00 Philippe <philippe(a)dissitou.org>:
> >> >
> >> > > Je reproduis avec Firefox seulement aussi, sur la version 2.6.3
et
> >> > 2.7-dev
> >> > > --
> >> > > Philippe
> >> > >
> >> > >
> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas <nikrou77(a)gmail.com>:
> >> > > > Je reproduis aussi mais uniquement avec le panda bleu ! :-)
> >> > > >
> >> > > >
> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
> >> > > >
> >> > > >> je reproduis sur mon blog (mais qui a pas la dernière
version)
> >> > > >>
> >> > > >>
> >> > > >> On 8 July 2014 16:26, Franck Paul
<carnet.franck.paul(a)gmail.com
> >
> >> > wrote:
> >> > > >>
> >> > > >> > JPCERT97966327
> >> > > >> >
> >> > > >> >
> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com
> >:
> >> > > >> >
> >> > > >> > > faut le mot de passe :)
> >> > > >> > >
> >> > > >> > >
> >> > > >> > > On 8 July 2014 16:04, Dotclear (contact) <
> contact(a)dotclear.net
> >> >
> >> > > wrote:
> >> > > >> > >
> >> > > >> > > > L'archive qui détaille un peu tout :
> >> > > >> > > >
> >> > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> >> > > >> > > >
> >> > > >> > > >
> >> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear
(contact) <
> >> > > contact(a)dotclear.net
> >> > > >> >:
> >> > > >> > > >
> >> > > >> > > > > Jour les gens,
> >> > > >> > > > >
> >> > > >> > > > > On a reçu ce matin un rapport au
sujet d'une faille XSS
> >> (voir
> >> > > >> > > ci-dessous,
> >> > > >> > > > > le mot de passe de l'archive est
JPCERT97966327) mais je
> >> > > n'arrive
> >> > > >> > pas à
> >> > > >> > > > > reproduire la faille.
> >> > > >> > > > > Quelqu'un peut regarder ça de son
côté ?
> >> > > >> > > > >
> >> > > >> > > > > Franck
> >> > > >> > > > >
> >> > > >> > > > > ---------- Forwarded message
----------
> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
> >> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00
> >> > > >> > > > > Subject: Re: Inquiry on vulnerability
found in Dotclear
> >> 2.6.3
> >> > > VN:
> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> >> > > >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
> >> > > >> > > > >
> >> > > >> > > > >
> >> > > >> > > > > Hello xave @ the Dotclear Team,
> >> > > >> > > > >
> >> > > >> > > > > We have received a vulnerability
report for one of your
> >> > > products:
> >> > > >> > > > >
> >> > > >> > > > > - Dotclear 2.6.3 vulnerable to
cross-site scripting
> >> > > >> > > > >
> >> > > >> > > > > I have attached the details of the
reported
> vulnerability
> >> to
> >> > > this
> >> > > >> > > email.
> >> > > >> > > > > The password for the zip file will be
sent in a separate
> >> > email.
> >> > > >> > > > > The original report was against
version 2.6.2, but the
> >> issue
> >> > was
> >> > > >> also
> >> > > >> > > > > verified to still exist in 2.6.3.
Please see the report
> for
> >> > more
> >> > > >> > > details.
> >> > > >> > > > >
> >> > > >> > > > > Please take a look at the report and
return to us with
> the
> >> > > >> > information
> >> > > >> > > > > such as;
> >> > > >> > > > > -validate the products, and whether
the reported
> >> > vulnerability
> >> > > is
> >> > > >> > > > > confirmed or not
> >> > > >> > > > > -solutions (e.g., patch or module
update)
> >> > > >> > > > > -workarounds if any
> >> > > >> > > > > -estimated time for creation of
fixes
> >> > > >> > > > > -preferable date for public release
on your site
> >> > > >> > > > > *we will also publish an advisory
for this issue on
> our
> >> > > >> > vulnerability
> >> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
> http://jvn.jp/en/,
> >> > > >> > > > > synchronizing with your release
schedule.
> >> > > >> > > > >
> >> > > >> > > > > **Caution**
> >> > > >> > > > > We have assigned the tracking
number for this
> >> vulnerability
> >> > > >> issue;
> >> > > >> > > > > [VN: JVN#61637002 / TN:
JPCERT#97966327]
> >> > > >> > > > > Please be sure to include these
numbers in the subject
> >> line
> >> > > for
> >> > > >> > > > > future communication with us. We
appreciate your
> >> > cooperation
> >> > > on
> >> > > >> > > this.
> >> > > >> > > > >
> >> > > >> > > > > If you have any questions and
concerns, please do not
> >> hesitate
> >> > > to
> >> > > >> > > > > contact us any time.
> >> > > >> > > > >
> >> > > >> > > > > Thank you in advance for your
attention on this matter.
> >> > > >> > > > > We are looking forward to hearing
from you.
> >> > > >> > > > >
> >> > > >> > > > > Sincerely yours,
> >> > > >> > > > >
> >> > > >> > > > > Takayuki Uchiyama
> >> > > >> > > > > JPCERT/CC Vulnerability Handling
Team
> >> > > >> > > > >
> >> > > >> > > > > > Hello,
> >> > > >> > > > > >
> >> > > >> > > > > > Please be aware that Dotclear
2.6.2 is not the latest
> >> > version:
> >> > > >> > v2.6.3
> >> > > >> > > > > > was released in May to patch
vulnerabilities found in
> >> 2.6.2
> >> > > >> (listed
> >> > > >> > > at
> >> > > >> > > > > >
> >> > > >> > > > >
> >> > > >> > > >
> >> > > >> > >
> >> > > >> >
> >> > > >>
> >> > >
> >> >
> >>
> http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> >> > > >> > > > > > )
> >> > > >> > > > > >
> >> > > >> > > > > > If the vulnerabilities you found
are not the one
> listed
> >> and
> >> > > still
> >> > > >> > > > > > exist in 2.6.3, please send any
information to
> >> > > >> > security(a)dotclear.net
> >> > > >> > > > > > where you'll reach several
members of the team (we do
> not
> >> > use
> >> > > a
> >> > > >> GPG
> >> > > >> > > > > > key).
> >> > > >> > > > > >
> >> > > >> > > > > > xave, for the Dotclear Team.
> >> > > >> > > > > >
> >> > > >> > > > > >
> >> > > >> > > > > >
> >> > > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM,
JPCERT/CC <
> >> > vuls(a)jpcert.or.jp
> >> > > >
> >> > > >> > > wrote:
> >> > > >> > > > > > > To whom it may concern,
> >> > > >> > > > > > >
> >> > > >> > > > > > > Hello. This is Noriko
Takahashi from JPCERT/CC
> >> > > Vulnerability
> >> > > >> > > > > > > Handling Team. Please
excuse the sudden contact.
> >> > > >> > > > > > >
> >> > > >> > > > > > > If you're not familiar
with us or our activities,
> >> please
> >> > > >> > > > > > > check the following
websites for more information.
> >> > > >> > > > > > >
> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> >> > > >> > > > > > >
> >> > > >> > > > >
> >> > > >> >
> >> > >
> >> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> >> > > >> > > > > > > http://jvn.jp/en/
> >> > > >> > > > > > >
> >> > > >> > > > > > > We have received a report
of a vulnerability found
> in
> >> the
> >> > > >> > > > > > > product "Dotclear
2.6.2" from a researcher/user
> here in
> >> > > Japan
> >> > > >> > > > > > > under the vulnerability
handling framework called
> >> > > "Information
> >> > > >> > > > > > > Security Early Warning
Partnership" and the official
> >> > > >> announcement
> >> > > >> > > > > > > #235 "Software
Vulnerability Related Information
> >> Handling
> >> > > >> > Measures"
> >> > > >> > > > > > > which were designed by
Ministry of Economy, Trade
> and
> >> > > Industry
> >> > > >> > > > (METI),
> >> > > >> > > > > > > a Japanese cabinet.
> >> > > >> > > > > > >
> >> > > >> > > > > > > From the website
> >> > > >> > > > > > >
http://dotclear.org/contact
> >> > > >> > > > > > > we found this email
address. We would like to
> >> coordinate
> >> > > with
> >> > > >> you
> >> > > >> > > > > > > to solve the reported
vulnerability, and your
> >> cooperation
> >> > > would
> >> > > >> > be
> >> > > >> > > > > > > greatly appreciated.
> >> > > >> > > > > > >
> >> > > >> > > > > > > Before we provide you the
details of the reported
> >> > > >> vulnerability,
> >> > > >> > > > > > > we would like to know the
appropriate
> point-of-contact
> >> > > person,
> >> > > >> > > > > > > or department/group/team to
communicate in regards
> to
> >> this
> >> > > >> issue.
> >> > > >> > > > > > > It would be greatly
appreciated if you could
> provide us
> >> > the
> >> > > >> below
> >> > > >> > > > > > > information at your
earliest convenience.
> >> > > >> > > > > > > -Name of the person/team
who is in charge of such
> >> issues
> >> > > >> > > > > > > -Email address
> >> > > >> > > > > > > -PGP key if available
> >> > > >> > > > > > >
> >> > > >> > > > > > > Once we receive your reply
and and point-of-contact
> >> > > >> information,
> >> > > >> > > > > > > we will then send you the
original vulnerability
> report
> >> > and
> >> > > the
> >> > > >> > > > > > > details either in a PGP
encrypted message or in a
> >> password
> >> > > >> > > protected
> >> > > >> > > > > > > zip file.
> >> > > >> > > > > > >
> >> > > >> > > > > > > If you have any questions
or concerns, please do not
> >> > > hesitate
> >> > > >> > > > > > > to contact us any time.
> >> > > >> > > > > > >
> >> > > >> > > > > > > Thank you in advance for
your attention to this
> email.
> >> > > >> > > > > > > We would very much
appreciate your prompt reply.
> >> > > >> > > > > > >
> >> > > >> > > > > > > Sincerely yours,
> >> > > >> > > > > > >
> >> > > >> > > > > > > Noriko Takahashi
> >> > > >> > > > > > > Leader of Vulnerability
Handling Team
> >> > > >> > > > > > > Information Coordination
Group
> >> > > >> > > > >
> >> > > >> >
> >> >
> ======================================================================
> >> > > >> > > > > JPCERT Coordination Center
(JPCERT/CC)
> >> > > >> > > > > TEL: +81-3-3518-4600 FAX:
+81-3-3518-4602 EMAIL:
> >> > > >> vuls(a)jpcert.or.jp
> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D
39 19 29 63 89 52
> D4
> >> F8
> >> > 8D
> >> > > 50
> >> > > >> FC
> >> > > >> > > > > https://www.jpcert.or.jp/english
http://jvn.jp/en/
> >> > > >> > http://jvn.jp
> >> > > >> > > > >
> >> > > >> > > > >
> >> > > >> > > > >
> >> > > >> > > > > --
> >> > > >> > > > > Dotclear Team
> >> > > >> > > > >
> >> > > >> > > >
> >> > > >> > > >
> >> > > >> > > >
> >> > > >> > > > --
> >> > > >> > > > Dotclear Team
> >> > > >> > > > --
> >> > > >> > > > Dev mailing list - Dev(a)list.dotclear.org
-
> >> > > >> > > > http://ml.dotclear.org/listinfo/dev
> >> > > >> > > >
> >> > > >> > > --
> >> > > >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > >> > > http://ml.dotclear.org/listinfo/dev
> >> > > >> > >
> >> > > >> >
> >> > > >> >
> >> > > >> >
> >> > > >> > --
> >> > > >> > Franck
> >> > > >> > --
> >> > > >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > >> > http://ml.dotclear.org/listinfo/dev
> >> > > >> >
> >> > > >> --
> >> > > >> Dev mailing list - Dev(a)list.dotclear.org -
> >> > > >> http://ml.dotclear.org/listinfo/dev
> >> > > >>
> >> > > > --
> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > http://ml.dotclear.org/listinfo/dev
> >> > > --
> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> > > http://ml.dotclear.org/listinfo/dev
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Franck
> >> > --
> >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> > http://ml.dotclear.org/listinfo/dev
> >> >
> >> --
> >> Dev mailing list - Dev(a)list.dotclear.org -
> >> http://ml.dotclear.org/listinfo/dev
> >>
> >
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Franck
--
Franck
10:56 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
mmm c'est pas un peu bourrin? ça risque pas de péter les recherches parfois
?
ce que je fais généralement, c'est deux variables: une "échappée" que
j'utilise dès que je veux écrire, une "non échappée" pour les appels
d'API.
Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois
un avec le form::field là, mais je vois pas les autres
On 10 July 2014 10:36, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
J'ai commité un truc vite fait pour tenter de corriger ça. Vous
pouvez
vérifier demain avec la nightly ? (branche 2.6)
2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
> Where is your patch Julien ? :-D
>
>
> 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
>
> note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
>>
>>
>> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
>>
>> > moi je vois en clair dans le source:
>> >
>> > <input type="submit" value="ok"
/></p><input type="hidden"
>> name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a"
/><input
>> type="hidden" name="q" value=""><img src=0
onerror=alert(document.cookie)>"
>> /><input type="hidden" name="qtype"
value="p" /></div></form><form
>> action="/blog/admin/search.php" method="get"><div
class="pager"><ul><li
>> class="first no-link btn"><img
src="images/pagination/no-first.png"
>> alt="Première page"/></li><li class="prev no-link
btn"><img
>> src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li
>> class="active"><strong>Page 1 /
16</strong></li><li class="next btn"><a
>>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
>> src="images/pagination/next.png" alt="Page
suivante"/></a><span
>> class="hidden">Page suivante</span></li><li
class="last btn"><a
>>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
>> src="images/pagination/last.png" alt="Dernière
page"/></a><span
>> class="hidden">Dernière page</span></li><li
class="direct-access">Aller
à
>> la page : <input type="text" size="3"
name="page" maxlength="10"
/><input
>> type="submit" value="ok" class="reset"
name="ok" /><input type="hidden"
>> name="q" value=""><img src=0
onerror=alert(document.cookie)>" /><input
>> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
>> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
>> page</h3>
>> >
>> >
>> > (cherche "xd_check")
>> >
>> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais je
>> vois
>> > quand même bien qu'on échappe pas l'entrée utilisateur alors
qu'on le
>> > devrait.
>> >
>> >
>> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
>> >
>> >> Re,
>> >>
>> >>
>> >> 2014-07-08 17:28 GMT+02:00 Franck Paul
<carnet.franck.paul(a)gmail.com
>:
>> >>
>> >> > Apparemment c'est un problème côté firefox, pas Dotclear. les
chaînes
>> >> sont
>> >> > à priori bien échappées à la recherche et à l'affichage.
>> >> >
>> >> > Et oui Franck, sinon le problème existerait quel que soit le
>> navigateur.
>> >>
>> >>
>> >>
>> >> >
>> >> > 2014-07-08 17:06 GMT+02:00 Philippe
<philippe(a)dissitou.org>:
>> >> >
>> >> > > Je reproduis avec Firefox seulement aussi, sur la version
2.6.3
et
>> >> > 2.7-dev
>> >> > > --
>> >> > > Philippe
>> >> > >
>> >> > >
>> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas
<nikrou77(a)gmail.com>:
>> >> > > > Je reproduis aussi mais uniquement avec le panda bleu !
:-)
>> >> > > >
>> >> > > >
>> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com>:
>> >> > > >
>> >> > > >> je reproduis sur mon blog (mais qui a pas la
dernière version)
>> >> > > >>
>> >> > > >>
>> >> > > >> On 8 July 2014 16:26, Franck Paul <
carnet.franck.paul(a)gmail.com
>> >
>> >> > wrote:
>> >> > > >>
>> >> > > >> > JPCERT97966327
>> >> > > >> >
>> >> > > >> >
>> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<
felash(a)gmail.com
>> >:
>> >> > > >> >
>> >> > > >> > > faut le mot de passe :)
>> >> > > >> > >
>> >> > > >> > >
>> >> > > >> > > On 8 July 2014 16:04, Dotclear (contact)
<
>> contact(a)dotclear.net
>> >> >
>> >> > > wrote:
>> >> > > >> > >
>> >> > > >> > > > L'archive qui détaille un peu
tout :
>> >> > > >> > > >
>> >> > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
>> >> > > >> > > >
>> >> > > >> > > >
>> >> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear
(contact) <
>> >> > > contact(a)dotclear.net
>> >> > > >> >:
>> >> > > >> > > >
>> >> > > >> > > > > Jour les gens,
>> >> > > >> > > > >
>> >> > > >> > > > > On a reçu ce matin un rapport au
sujet d'une faille
XSS
>> >> (voir
>> >> > > >> > > ci-dessous,
>> >> > > >> > > > > le mot de passe de l'archive
est JPCERT97966327) mais
je
>> >> > > n'arrive
>> >> > > >> > pas à
>> >> > > >> > > > > reproduire la faille.
>> >> > > >> > > > > Quelqu'un peut regarder ça
de son côté ?
>> >> > > >> > > > >
>> >> > > >> > > > > Franck
>> >> > > >> > > > >
>> >> > > >> > > > > ---------- Forwarded message
----------
>> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
>> >> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00
>> >> > > >> > > > > Subject: Re: Inquiry on
vulnerability found in
Dotclear
>> >> 2.6.3
>> >> > > VN:
>> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
>> >> > > >> > > > > To: Dotclear Development Team
<contact(a)dotclear.net>
>> >> > > >> > > > >
>> >> > > >> > > > >
>> >> > > >> > > > > Hello xave @ the Dotclear Team,
>> >> > > >> > > > >
>> >> > > >> > > > > We have received a vulnerability
report for one of
your
>> >> > > products:
>> >> > > >> > > > >
>> >> > > >> > > > > - Dotclear 2.6.3 vulnerable to
cross-site scripting
>> >> > > >> > > > >
>> >> > > >> > > > > I have attached the details of
the reported
>> vulnerability
>> >> to
>> >> > > this
>> >> > > >> > > email.
>> >> > > >> > > > > The password for the zip file
will be sent in a
separate
>> >> > email.
>> >> > > >> > > > > The original report was against
version 2.6.2, but the
>> >> issue
>> >> > was
>> >> > > >> also
>> >> > > >> > > > > verified to still exist in
2.6.3. Please see the
report
>> for
>> >> > more
>> >> > > >> > > details.
>> >> > > >> > > > >
>> >> > > >> > > > > Please take a look at the report
and return to us with
>> the
>> >> > > >> > information
>> >> > > >> > > > > such as;
>> >> > > >> > > > > -validate the products, and
whether the reported
>> >> > vulnerability
>> >> > > is
>> >> > > >> > > > > confirmed or not
>> >> > > >> > > > > -solutions (e.g., patch or
module update)
>> >> > > >> > > > > -workarounds if any
>> >> > > >> > > > > -estimated time for creation of
fixes
>> >> > > >> > > > > -preferable date for public
release on your site
>> >> > > >> > > > > *we will also publish an
advisory for this issue on
>> our
>> >> > > >> > vulnerability
>> >> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
>> http://jvn.jp/en/,
>> >> > > >> > > > > synchronizing with your
release schedule.
>> >> > > >> > > > >
>> >> > > >> > > > > **Caution**
>> >> > > >> > > > > We have assigned the tracking
number for this
>> >> vulnerability
>> >> > > >> issue;
>> >> > > >> > > > > [VN: JVN#61637002 / TN:
JPCERT#97966327]
>> >> > > >> > > > > Please be sure to include
these numbers in the
subject
>> >> line
>> >> > > for
>> >> > > >> > > > > future communication with us.
We appreciate your
>> >> > cooperation
>> >> > > on
>> >> > > >> > > this.
>> >> > > >> > > > >
>> >> > > >> > > > > If you have any questions and
concerns, please do not
>> >> hesitate
>> >> > > to
>> >> > > >> > > > > contact us any time.
>> >> > > >> > > > >
>> >> > > >> > > > > Thank you in advance for your
attention on this
matter.
>> >> > > >> > > > > We are looking forward to
hearing from you.
>> >> > > >> > > > >
>> >> > > >> > > > > Sincerely yours,
>> >> > > >> > > > >
>> >> > > >> > > > > Takayuki Uchiyama
>> >> > > >> > > > > JPCERT/CC Vulnerability Handling
Team
>> >> > > >> > > > >
>> >> > > >> > > > > > Hello,
>> >> > > >> > > > > >
>> >> > > >> > > > > > Please be aware that
Dotclear 2.6.2 is not the
latest
>> >> > version:
>> >> > > >> > v2.6.3
>> >> > > >> > > > > > was released in May to
patch vulnerabilities found
in
>> >> 2.6.2
>> >> > > >> (listed
>> >> > > >> > > at
>> >> > > >> > > > > >
>> >> > > >> > > > >
>> >> > > >> > > >
>> >> > > >> > >
>> >> > > >> >
>> >> > > >>
>> >> > >
>> >> >
>> >>
>>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
>> >> > > >> > > > > > )
>> >> > > >> > > > > >
>> >> > > >> > > > > > If the vulnerabilities you
found are not the one
>> listed
>> >> and
>> >> > > still
>> >> > > >> > > > > > exist in 2.6.3, please send
any information to
>> >> > > >> > security(a)dotclear.net
>> >> > > >> > > > > > where you'll reach
several members of the team (we
do
>> not
>> >> > use
>> >> > > a
>> >> > > >> GPG
>> >> > > >> > > > > > key).
>> >> > > >> > > > > >
>> >> > > >> > > > > > xave, for the Dotclear
Team.
>> >> > > >> > > > > >
>> >> > > >> > > > > >
>> >> > > >> > > > > >
>> >> > > >> > > > > > On Wed, Jun 25, 2014 at
5:10 AM, JPCERT/CC <
>> >> > vuls(a)jpcert.or.jp
>> >> > > >
>> >> > > >> > > wrote:
>> >> > > >> > > > > > > To whom it may
concern,
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Hello. This is Noriko
Takahashi from JPCERT/CC
>> >> > > Vulnerability
>> >> > > >> > > > > > > Handling Team. Please
excuse the sudden contact.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > If you're not
familiar with us or our activities,
>> >> please
>> >> > > >> > > > > > > check the following
websites for more information.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
>> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
>> >> > > >> > > > > > >
>> >> > > >> > > > >
>> >> > > >> >
>> >> > >
>> >>
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
>> >> > > >> > > > > > > http://jvn.jp/en/
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > We have received a
report of a vulnerability found
>> in
>> >> the
>> >> > > >> > > > > > > product "Dotclear
2.6.2" from a researcher/user
>> here in
>> >> > > Japan
>> >> > > >> > > > > > > under the
vulnerability handling framework called
>> >> > > "Information
>> >> > > >> > > > > > > Security Early Warning
Partnership" and the
official
>> >> > > >> announcement
>> >> > > >> > > > > > > #235 "Software
Vulnerability Related Information
>> >> Handling
>> >> > > >> > Measures"
>> >> > > >> > > > > > > which were designed by
Ministry of Economy, Trade
>> and
>> >> > > Industry
>> >> > > >> > > > (METI),
>> >> > > >> > > > > > > a Japanese cabinet.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > From the website
>> >> > > >> > > > > > >
http://dotclear.org/contact
>> >> > > >> > > > > > > we found this email
address. We would like to
>> >> coordinate
>> >> > > with
>> >> > > >> you
>> >> > > >> > > > > > > to solve the reported
vulnerability, and your
>> >> cooperation
>> >> > > would
>> >> > > >> > be
>> >> > > >> > > > > > > greatly appreciated.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Before we provide you
the details of the reported
>> >> > > >> vulnerability,
>> >> > > >> > > > > > > we would like to know
the appropriate
>> point-of-contact
>> >> > > person,
>> >> > > >> > > > > > > or
department/group/team to communicate in regards
>> to
>> >> this
>> >> > > >> issue.
>> >> > > >> > > > > > > It would be greatly
appreciated if you could
>> provide us
>> >> > the
>> >> > > >> below
>> >> > > >> > > > > > > information at your
earliest convenience.
>> >> > > >> > > > > > > -Name of the
person/team who is in charge of such
>> >> issues
>> >> > > >> > > > > > > -Email address
>> >> > > >> > > > > > > -PGP key if
available
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Once we receive your
reply and and
point-of-contact
>> >> > > >> information,
>> >> > > >> > > > > > > we will then send you
the original vulnerability
>> report
>> >> > and
>> >> > > the
>> >> > > >> > > > > > > details either in a
PGP encrypted message or in a
>> >> password
>> >> > > >> > > protected
>> >> > > >> > > > > > > zip file.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > If you have any
questions or concerns, please do
not
>> >> > > hesitate
>> >> > > >> > > > > > > to contact us any
time.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Thank you in advance
for your attention to this
>> email.
>> >> > > >> > > > > > > We would very much
appreciate your prompt reply.
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Sincerely yours,
>> >> > > >> > > > > > >
>> >> > > >> > > > > > > Noriko Takahashi
>> >> > > >> > > > > > > Leader of
Vulnerability Handling Team
>> >> > > >> > > > > > > Information
Coordination Group
>> >> > > >> > > > >
>> >> > > >> >
>> >> >
>> ======================================================================
>> >> > > >> > > > > JPCERT Coordination Center
(JPCERT/CC)
>> >> > > >> > > > > TEL: +81-3-3518-4600 FAX:
+81-3-3518-4602 EMAIL:
>> >> > > >> vuls(a)jpcert.or.jp
>> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35
2D 39 19 29 63 89 52
>> D4
>> >> F8
>> >> > 8D
>> >> > > 50
>> >> > > >> FC
>> >> > > >> > > > > https://www.jpcert.or.jp/english
http://jvn.jp/en/
>> >> > > >> > http://jvn.jp
>> >> > > >> > > > >
>> >> > > >> > > > >
>> >> > > >> > > > >
>> >> > > >> > > > > --
>> >> > > >> > > > > Dotclear Team
>> >> > > >> > > > >
>> >> > > >> > > >
>> >> > > >> > > >
>> >> > > >> > > >
>> >> > > >> > > > --
>> >> > > >> > > > Dotclear Team
>> >> > > >> > > > --
>> >> > > >> > > > Dev mailing list -
Dev(a)list.dotclear.org -
>> >> > > >> > > > http://ml.dotclear.org/listinfo/dev
>> >> > > >> > > >
>> >> > > >> > > --
>> >> > > >> > > Dev mailing list - Dev(a)list.dotclear.org
-
>> >> > > >> > > http://ml.dotclear.org/listinfo/dev
>> >> > > >> > >
>> >> > > >> >
>> >> > > >> >
>> >> > > >> >
>> >> > > >> > --
>> >> > > >> > Franck
>> >> > > >> > --
>> >> > > >> > Dev mailing list - Dev(a)list.dotclear.org -
>> >> > > >> > http://ml.dotclear.org/listinfo/dev
>> >> > > >> >
>> >> > > >> --
>> >> > > >> Dev mailing list - Dev(a)list.dotclear.org -
>> >> > > >> http://ml.dotclear.org/listinfo/dev
>> >> > > >>
>> >> > > > --
>> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
>> >> > > http://ml.dotclear.org/listinfo/dev
>> >> > > --
>> >> > > Dev mailing list - Dev(a)list.dotclear.org -
>> >> > > http://ml.dotclear.org/listinfo/dev
>> >> > >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Franck
>> >> > --
>> >> > Dev mailing list - Dev(a)list.dotclear.org -
>> >> > http://ml.dotclear.org/listinfo/dev
>> >> >
>> >> --
>> >> Dev mailing list - Dev(a)list.dotclear.org -
>> >> http://ml.dotclear.org/listinfo/dev
>> >>
>> >
>> >
>> --
>> Dev mailing list - Dev(a)list.dotclear.org -
>> http://ml.dotclear.org/listinfo/dev
>>
>
>
>
> --
> Franck
>
--
Franck
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
11:03 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Si c'est bourrin je l'admets, mais devant l'avalanche de patchs proposés,
j'ai paré au plus pressé.
2014-07-10 10:56 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
mmm c'est pas un peu bourrin? ça risque pas de péter les
recherches parfois
?
ce que je fais généralement, c'est deux variables: une "échappée" que
j'utilise dès que je veux écrire, une "non échappée" pour les appels
d'API.
Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois
un avec le form::field là, mais je vois pas les autres
On 10 July 2014 10:36, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
> J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez
> vérifier demain avec la nightly ? (branche 2.6)
>
>
> 2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
>
> > Where is your patch Julien ? :-D
> >
> >
> > 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> >
> > note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
> >>
> >>
> >> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
> >>
> >> > moi je vois en clair dans le source:
> >> >
> >> > <input type="submit" value="ok"
/></p><input type="hidden"
> >> name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a"
> /><input
> >> type="hidden" name="q" value=""><img
src=0
> onerror=alert(document.cookie)>"
> >> /><input type="hidden" name="qtype"
value="p" /></div></form><form
> >> action="/blog/admin/search.php"
method="get"><div
class="pager"><ul><li
> >> class="first no-link btn"><img
src="images/pagination/no-first.png"
> >> alt="Première page"/></li><li class="prev
no-link btn"><img
> >> src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li
> >> class="active"><strong>Page 1 /
16</strong></li><li class="next
btn"><a
> >>
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
> >> src="images/pagination/next.png" alt="Page
suivante"/></a><span
> >> class="hidden">Page suivante</span></li><li
class="last btn"><a
> >>
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
> >> src="images/pagination/last.png" alt="Dernière
page"/></a><span
> >> class="hidden">Dernière page</span></li><li
class="direct-access">Aller
> à
> >> la page : <input type="text" size="3"
name="page" maxlength="10"
> /><input
> >> type="submit" value="ok" class="reset"
name="ok" /><input
type="hidden"
> >> name="q" value=""><img src=0
onerror=alert(document.cookie)>"
/><input
> >> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
> >> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
> >> page</h3>
> >> >
> >> >
> >> > (cherche "xd_check")
> >> >
> >> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien,
mais
je
> >> vois
> >> > quand même bien qu'on échappe pas l'entrée utilisateur alors
qu'on
le
> >> > devrait.
> >> >
> >> >
> >> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> >> >
> >> >> Re,
> >> >>
> >> >>
> >> >> 2014-07-08 17:28 GMT+02:00 Franck Paul <
carnet.franck.paul(a)gmail.com
> >:
> >> >>
> >> >> > Apparemment c'est un problème côté firefox, pas Dotclear.
les
> chaînes
> >> >> sont
> >> >> > à priori bien échappées à la recherche et à l'affichage.
> >> >> >
> >> >> > Et oui Franck, sinon le problème existerait quel que soit le
> >> navigateur.
> >> >>
> >> >>
> >> >>
> >> >> >
> >> >> > 2014-07-08 17:06 GMT+02:00 Philippe
<philippe(a)dissitou.org>:
> >> >> >
> >> >> > > Je reproduis avec Firefox seulement aussi, sur la
version 2.6.3
> et
> >> >> > 2.7-dev
> >> >> > > --
> >> >> > > Philippe
> >> >> > >
> >> >> > >
> >> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas
<nikrou77(a)gmail.com>:
> >> >> > > > Je reproduis aussi mais uniquement avec le panda
bleu ! :-)
> >> >> > > >
> >> >> > > >
> >> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com
>:
> >> >> > > >
> >> >> > > >> je reproduis sur mon blog (mais qui a pas la
dernière
version)
> >> >> > > >>
> >> >> > > >>
> >> >> > > >> On 8 July 2014 16:26, Franck Paul <
> carnet.franck.paul(a)gmail.com
> >> >
> >> >> > wrote:
> >> >> > > >>
> >> >> > > >> > JPCERT97966327
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<
> felash(a)gmail.com
> >> >:
> >> >> > > >> >
> >> >> > > >> > > faut le mot de passe :)
> >> >> > > >> > >
> >> >> > > >> > >
> >> >> > > >> > > On 8 July 2014 16:04, Dotclear
(contact) <
> >> contact(a)dotclear.net
> >> >> >
> >> >> > > wrote:
> >> >> > > >> > >
> >> >> > > >> > > > L'archive qui détaille un
peu tout :
> >> >> > > >> > > >
> >> >> >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > > 2014-07-08 15:08 GMT+02:00
Dotclear (contact) <
> >> >> > > contact(a)dotclear.net
> >> >> > > >> >:
> >> >> > > >> > > >
> >> >> > > >> > > > > Jour les gens,
> >> >> > > >> > > > >
> >> >> > > >> > > > > On a reçu ce matin un
rapport au sujet d'une faille
> XSS
> >> >> (voir
> >> >> > > >> > > ci-dessous,
> >> >> > > >> > > > > le mot de passe de
l'archive est JPCERT97966327)
mais
> je
> >> >> > > n'arrive
> >> >> > > >> > pas à
> >> >> > > >> > > > > reproduire la faille.
> >> >> > > >> > > > > Quelqu'un peut regarder
ça de son côté ?
> >> >> > > >> > > > >
> >> >> > > >> > > > > Franck
> >> >> > > >> > > > >
> >> >> > > >> > > > > ---------- Forwarded
message ----------
> >> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
> >> >> > > >> > > > > Date: 2014-07-08 4:36
GMT+02:00
> >> >> > > >> > > > > Subject: Re: Inquiry on
vulnerability found in
> Dotclear
> >> >> 2.6.3
> >> >> > > VN:
> >> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> >> >> > > >> > > > > To: Dotclear Development
Team <contact(a)dotclear.net
>
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > > Hello xave @ the Dotclear
Team,
> >> >> > > >> > > > >
> >> >> > > >> > > > > We have received a
vulnerability report for one of
> your
> >> >> > > products:
> >> >> > > >> > > > >
> >> >> > > >> > > > > - Dotclear 2.6.3
vulnerable to cross-site
scripting
> >> >> > > >> > > > >
> >> >> > > >> > > > > I have attached the details
of the reported
> >> vulnerability
> >> >> to
> >> >> > > this
> >> >> > > >> > > email.
> >> >> > > >> > > > > The password for the zip
file will be sent in a
> separate
> >> >> > email.
> >> >> > > >> > > > > The original report was
against version 2.6.2, but
the
> >> >> issue
> >> >> > was
> >> >> > > >> also
> >> >> > > >> > > > > verified to still exist in
2.6.3. Please see the
> report
> >> for
> >> >> > more
> >> >> > > >> > > details.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Please take a look at the
report and return to us
with
> >> the
> >> >> > > >> > information
> >> >> > > >> > > > > such as;
> >> >> > > >> > > > > -validate the products,
and whether the reported
> >> >> > vulnerability
> >> >> > > is
> >> >> > > >> > > > > confirmed or not
> >> >> > > >> > > > > -solutions (e.g., patch or
module update)
> >> >> > > >> > > > > -workarounds if any
> >> >> > > >> > > > > -estimated time for
creation of fixes
> >> >> > > >> > > > > -preferable date for
public release on your site
> >> >> > > >> > > > > *we will also publish an
advisory for this issue
on
> >> our
> >> >> > > >> > vulnerability
> >> >> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
> >> http://jvn.jp/en/,
> >> >> > > >> > > > > synchronizing with your
release schedule.
> >> >> > > >> > > > >
> >> >> > > >> > > > > **Caution**
> >> >> > > >> > > > > We have assigned the
tracking number for this
> >> >> vulnerability
> >> >> > > >> issue;
> >> >> > > >> > > > > [VN: JVN#61637002 / TN:
JPCERT#97966327]
> >> >> > > >> > > > > Please be sure to include
these numbers in the
> subject
> >> >> line
> >> >> > > for
> >> >> > > >> > > > > future communication with
us. We appreciate your
> >> >> > cooperation
> >> >> > > on
> >> >> > > >> > > this.
> >> >> > > >> > > > >
> >> >> > > >> > > > > If you have any questions
and concerns, please do
not
> >> >> hesitate
> >> >> > > to
> >> >> > > >> > > > > contact us any time.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Thank you in advance for
your attention on this
> matter.
> >> >> > > >> > > > > We are looking forward to
hearing from you.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Sincerely yours,
> >> >> > > >> > > > >
> >> >> > > >> > > > > Takayuki Uchiyama
> >> >> > > >> > > > > JPCERT/CC Vulnerability
Handling Team
> >> >> > > >> > > > >
> >> >> > > >> > > > > > Hello,
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > Please be aware that
Dotclear 2.6.2 is not the
> latest
> >> >> > version:
> >> >> > > >> > v2.6.3
> >> >> > > >> > > > > > was released in May to
patch vulnerabilities found
> in
> >> >> 2.6.2
> >> >> > > >> (listed
> >> >> > > >> > > at
> >> >> > > >> > > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > >
> >> >> > > >> > >
> >> >> > > >> >
> >> >> > > >>
> >> >> > >
> >> >> >
> >> >>
> >>
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> >> >> > > >> > > > > > )
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > If the vulnerabilities
you found are not the one
> >> listed
> >> >> and
> >> >> > > still
> >> >> > > >> > > > > > exist in 2.6.3, please
send any information to
> >> >> > > >> > security(a)dotclear.net
> >> >> > > >> > > > > > where you'll reach
several members of the team (we
> do
> >> not
> >> >> > use
> >> >> > > a
> >> >> > > >> GPG
> >> >> > > >> > > > > > key).
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > xave, for the Dotclear
Team.
> >> >> > > >> > > > > >
> >> >> > > >> > > > > >
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > On Wed, Jun 25, 2014
at 5:10 AM, JPCERT/CC <
> >> >> > vuls(a)jpcert.or.jp
> >> >> > > >
> >> >> > > >> > > wrote:
> >> >> > > >> > > > > > > To whom it may
concern,
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Hello. This is
Noriko Takahashi from JPCERT/CC
> >> >> > > Vulnerability
> >> >> > > >> > > > > > > Handling Team.
Please excuse the sudden
contact.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > If you're not
familiar with us or our
activities,
> >> >> please
> >> >> > > >> > > > > > > check the
following websites for more
information.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> >> >> > > >> > > > > > >
> >> >> > > >> > > > >
> >> >> > > >> >
> >> >> > >
> >> >>
> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> >> >> > > >> > > > > > >
http://jvn.jp/en/
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > We have received
a report of a vulnerability
found
> >> in
> >> >> the
> >> >> > > >> > > > > > > product
"Dotclear 2.6.2" from a researcher/user
> >> here in
> >> >> > > Japan
> >> >> > > >> > > > > > > under the
vulnerability handling framework
called
> >> >> > > "Information
> >> >> > > >> > > > > > > Security Early
Warning Partnership" and the
> official
> >> >> > > >> announcement
> >> >> > > >> > > > > > > #235
"Software Vulnerability Related Information
> >> >> Handling
> >> >> > > >> > Measures"
> >> >> > > >> > > > > > > which were
designed by Ministry of Economy,
Trade
> >> and
> >> >> > > Industry
> >> >> > > >> > > > (METI),
> >> >> > > >> > > > > > > a Japanese
cabinet.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > From the website
> >> >> > > >> > > > > > >
http://dotclear.org/contact
> >> >> > > >> > > > > > > we found this
email address. We would like to
> >> >> coordinate
> >> >> > > with
> >> >> > > >> you
> >> >> > > >> > > > > > > to solve the
reported vulnerability, and your
> >> >> cooperation
> >> >> > > would
> >> >> > > >> > be
> >> >> > > >> > > > > > > greatly
appreciated.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Before we provide
you the details of the
reported
> >> >> > > >> vulnerability,
> >> >> > > >> > > > > > > we would like to
know the appropriate
> >> point-of-contact
> >> >> > > person,
> >> >> > > >> > > > > > > or
department/group/team to communicate in
regards
> >> to
> >> >> this
> >> >> > > >> issue.
> >> >> > > >> > > > > > > It would be
greatly appreciated if you could
> >> provide us
> >> >> > the
> >> >> > > >> below
> >> >> > > >> > > > > > > information at
your earliest convenience.
> >> >> > > >> > > > > > > -Name of the
person/team who is in charge of
such
> >> >> issues
> >> >> > > >> > > > > > > -Email address
> >> >> > > >> > > > > > > -PGP key if
available
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Once we receive
your reply and and
> point-of-contact
> >> >> > > >> information,
> >> >> > > >> > > > > > > we will then send
you the original vulnerability
> >> report
> >> >> > and
> >> >> > > the
> >> >> > > >> > > > > > > details either in
a PGP encrypted message or in
a
> >> >> password
> >> >> > > >> > > protected
> >> >> > > >> > > > > > > zip file.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > If you have any
questions or concerns, please do
> not
> >> >> > > hesitate
> >> >> > > >> > > > > > > to contact us any
time.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Thank you in
advance for your attention to this
> >> email.
> >> >> > > >> > > > > > > We would very
much appreciate your prompt reply.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Sincerely yours,
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Noriko Takahashi
> >> >> > > >> > > > > > > Leader of
Vulnerability Handling Team
> >> >> > > >> > > > > > > Information
Coordination Group
> >> >> > > >> > > > >
> >> >> > > >> >
> >> >> >
> >> ======================================================================
> >> >> > > >> > > > > JPCERT Coordination Center
(JPCERT/CC)
> >> >> > > >> > > > > TEL: +81-3-3518-4600 FAX:
+81-3-3518-4602 EMAIL:
> >> >> > > >> vuls(a)jpcert.or.jp
> >> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8
68 35 2D 39 19 29 63 89
52
> >> D4
> >> >> F8
> >> >> > 8D
> >> >> > > 50
> >> >> > > >> FC
> >> >> > > >> > > > >
https://www.jpcert.or.jp/english
http://jvn.jp/en/
> >> >> > > >> > http://jvn.jp
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > > --
> >> >> > > >> > > > > Dotclear Team
> >> >> > > >> > > > >
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > > --
> >> >> > > >> > > > Dotclear Team
> >> >> > > >> > > > --
> >> >> > > >> > > > Dev mailing list -
Dev(a)list.dotclear.org -
> >> >> > > >> > > >
http://ml.dotclear.org/listinfo/dev
> >> >> > > >> > > >
> >> >> > > >> > > --
> >> >> > > >> > > Dev mailing list -
Dev(a)list.dotclear.org -
> >> >> > > >> > > http://ml.dotclear.org/listinfo/dev
> >> >> > > >> > >
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> > --
> >> >> > > >> > Franck
> >> >> > > >> > --
> >> >> > > >> > Dev mailing list - Dev(a)list.dotclear.org
-
> >> >> > > >> > http://ml.dotclear.org/listinfo/dev
> >> >> > > >> >
> >> >> > > >> --
> >> >> > > >> Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > > >> http://ml.dotclear.org/listinfo/dev
> >> >> > > >>
> >> >> > > > --
> >> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > > http://ml.dotclear.org/listinfo/dev
> >> >> > > --
> >> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > > http://ml.dotclear.org/listinfo/dev
> >> >> > >
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Franck
> >> >> > --
> >> >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > http://ml.dotclear.org/listinfo/dev
> >> >> >
> >> >> --
> >> >> Dev mailing list - Dev(a)list.dotclear.org -
> >> >> http://ml.dotclear.org/listinfo/dev
> >> >>
> >> >
> >> >
> >> --
> >> Dev mailing list - Dev(a)list.dotclear.org -
> >> http://ml.dotclear.org/listinfo/dev
> >>
> >
> >
> >
> > --
> > Franck
> >
>
>
>
> --
> Franck
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
--
Franck
11:06 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Si tu me trouves les 3 endroits où on écrit le truc, je veux bien faire un
patch, mais vu comme je connais bien le code (ou pas) j'ai pas vraiment le
temps de chercher :/
On 10 July 2014 11:03, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
Si c'est bourrin je l'admets, mais devant l'avalanche de
patchs proposés,
j'ai paré au plus pressé.
2014-07-10 10:56 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> mmm c'est pas un peu bourrin? ça risque pas de péter les recherches
parfois
> ?
>
> ce que je fais généralement, c'est deux variables: une "échappée" que
> j'utilise dès que je veux écrire, une "non échappée" pour les appels
d'API.
>
> Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois
> un avec le form::field là, mais je vois pas les autres
>
>
> On 10 July 2014 10:36, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
>
> > J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez
> > vérifier demain avec la nightly ? (branche 2.6)
> >
> >
> > 2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
> >
> > > Where is your patch Julien ? :-D
> > >
> > >
> > > 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> > >
> > > note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
> > >>
> > >>
> > >> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
> > >>
> > >> > moi je vois en clair dans le source:
> > >> >
> > >> > <input type="submit" value="ok"
/></p><input type="hidden"
> > >> name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a"
> > /><input
> > >> type="hidden" name="q"
value=""><img src=0
> > onerror=alert(document.cookie)>"
> > >> /><input type="hidden" name="qtype"
value="p" /></div></form><form
> > >> action="/blog/admin/search.php"
method="get"><div
> class="pager"><ul><li
> > >> class="first no-link btn"><img
src="images/pagination/no-first.png"
> > >> alt="Première page"/></li><li class="prev
no-link btn"><img
> > >> src="images/pagination/no-previous.png" alt="Page
> précédente"/></li><li
> > >> class="active"><strong>Page 1 /
16</strong></li><li class="next
> btn"><a
> > >>
> >
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
> > >> src="images/pagination/next.png" alt="Page
suivante"/></a><span
> > >> class="hidden">Page
suivante</span></li><li class="last btn"><a
> > >>
> >
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
> > >> src="images/pagination/last.png" alt="Dernière
page"/></a><span
> > >> class="hidden">Dernière
page</span></li><li
> class="direct-access">Aller
> > à
> > >> la page : <input type="text" size="3"
name="page" maxlength="10"
> > /><input
> > >> type="submit" value="ok" class="reset"
name="ok" /><input
> type="hidden"
> > >> name="q" value=""><img src=0
onerror=alert(document.cookie)>"
> /><input
> > >> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
> > >> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
> > >> page</h3>
> > >> >
> > >> >
> > >> > (cherche "xd_check")
> > >> >
> > >> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien,
mais
> je
> > >> vois
> > >> > quand même bien qu'on échappe pas l'entrée utilisateur
alors qu'on
> le
> > >> > devrait.
> > >> >
> > >> >
> > >> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> > >> >
> > >> >> Re,
> > >> >>
> > >> >>
> > >> >> 2014-07-08 17:28 GMT+02:00 Franck Paul <
> carnet.franck.paul(a)gmail.com
> > >:
> > >> >>
> > >> >> > Apparemment c'est un problème côté firefox, pas
Dotclear. les
> > chaînes
> > >> >> sont
> > >> >> > à priori bien échappées à la recherche et à
l'affichage.
> > >> >> >
> > >> >> > Et oui Franck, sinon le problème existerait quel que
soit le
> > >> navigateur.
> > >> >>
> > >> >>
> > >> >>
> > >> >> >
> > >> >> > 2014-07-08 17:06 GMT+02:00 Philippe
<philippe(a)dissitou.org>:
> > >> >> >
> > >> >> > > Je reproduis avec Firefox seulement aussi, sur la
version
2.6.3
> > et
> > >> >> > 2.7-dev
> > >> >> > > --
> > >> >> > > Philippe
> > >> >> > >
> > >> >> > >
> > >> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas
<nikrou77(a)gmail.com>:
> > >> >> > > > Je reproduis aussi mais uniquement avec le
panda bleu ! :-)
> > >> >> > > >
> > >> >> > > >
> > >> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<
felash(a)gmail.com
> >:
> > >> >> > > >
> > >> >> > > >> je reproduis sur mon blog (mais qui a pas
la dernière
> version)
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >> On 8 July 2014 16:26, Franck Paul <
> > carnet.franck.paul(a)gmail.com
> > >> >
> > >> >> > wrote:
> > >> >> > > >>
> > >> >> > > >> > JPCERT97966327
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien
Wajsberg <
> > felash(a)gmail.com
> > >> >:
> > >> >> > > >> >
> > >> >> > > >> > > faut le mot de passe :)
> > >> >> > > >> > >
> > >> >> > > >> > >
> > >> >> > > >> > > On 8 July 2014 16:04, Dotclear
(contact) <
> > >> contact(a)dotclear.net
> > >> >> >
> > >> >> > > wrote:
> > >> >> > > >> > >
> > >> >> > > >> > > > L'archive qui détaille
un peu tout :
> > >> >> > > >> > > >
> > >> >> >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > > 2014-07-08 15:08 GMT+02:00
Dotclear (contact) <
> > >> >> > > contact(a)dotclear.net
> > >> >> > > >> >:
> > >> >> > > >> > > >
> > >> >> > > >> > > > > Jour les gens,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > On a reçu ce matin un
rapport au sujet d'une
faille
> > XSS
> > >> >> (voir
> > >> >> > > >> > > ci-dessous,
> > >> >> > > >> > > > > le mot de passe de
l'archive est JPCERT97966327)
> mais
> > je
> > >> >> > > n'arrive
> > >> >> > > >> > pas à
> > >> >> > > >> > > > > reproduire la faille.
> > >> >> > > >> > > > > Quelqu'un peut
regarder ça de son côté ?
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Franck
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > ---------- Forwarded
message ----------
> > >> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
> > >> >> > > >> > > > > Date: 2014-07-08 4:36
GMT+02:00
> > >> >> > > >> > > > > Subject: Re: Inquiry
on vulnerability found in
> > Dotclear
> > >> >> 2.6.3
> > >> >> > > VN:
> > >> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> > >> >> > > >> > > > > To: Dotclear
Development Team <
contact(a)dotclear.net
> >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Hello xave @ the
Dotclear Team,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > We have received a
vulnerability report for one of
> > your
> > >> >> > > products:
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > - Dotclear 2.6.3
vulnerable to cross-site
> scripting
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > I have attached the
details of the reported
> > >> vulnerability
> > >> >> to
> > >> >> > > this
> > >> >> > > >> > > email.
> > >> >> > > >> > > > > The password for the
zip file will be sent in a
> > separate
> > >> >> > email.
> > >> >> > > >> > > > > The original report
was against version 2.6.2, but
> the
> > >> >> issue
> > >> >> > was
> > >> >> > > >> also
> > >> >> > > >> > > > > verified to still
exist in 2.6.3. Please see the
> > report
> > >> for
> > >> >> > more
> > >> >> > > >> > > details.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Please take a look at
the report and return to us
> with
> > >> the
> > >> >> > > >> > information
> > >> >> > > >> > > > > such as;
> > >> >> > > >> > > > > -validate the
products, and whether the reported
> > >> >> > vulnerability
> > >> >> > > is
> > >> >> > > >> > > > > confirmed or not
> > >> >> > > >> > > > > -solutions (e.g.,
patch or module update)
> > >> >> > > >> > > > > -workarounds if any
> > >> >> > > >> > > > > -estimated time for
creation of fixes
> > >> >> > > >> > > > > -preferable date for
public release on your site
> > >> >> > > >> > > > > *we will also
publish an advisory for this issue
> on
> > >> our
> > >> >> > > >> > vulnerability
> > >> >> > > >> > > > > knowledge base,
JVN, http://jvn.jp,
> > >> http://jvn.jp/en/,
> > >> >> > > >> > > > > synchronizing with
your release schedule.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > **Caution**
> > >> >> > > >> > > > > We have assigned the
tracking number for this
> > >> >> vulnerability
> > >> >> > > >> issue;
> > >> >> > > >> > > > > [VN: JVN#61637002
/ TN: JPCERT#97966327]
> > >> >> > > >> > > > > Please be sure to
include these numbers in the
> > subject
> > >> >> line
> > >> >> > > for
> > >> >> > > >> > > > > future communication
with us. We appreciate
your
> > >> >> > cooperation
> > >> >> > > on
> > >> >> > > >> > > this.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > If you have any
questions and concerns, please do
> not
> > >> >> hesitate
> > >> >> > > to
> > >> >> > > >> > > > > contact us any time.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Thank you in advance
for your attention on this
> > matter.
> > >> >> > > >> > > > > We are looking forward
to hearing from you.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Sincerely yours,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Takayuki Uchiyama
> > >> >> > > >> > > > > JPCERT/CC
Vulnerability Handling Team
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > > Hello,
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > Please be aware
that Dotclear 2.6.2 is not the
> > latest
> > >> >> > version:
> > >> >> > > >> > v2.6.3
> > >> >> > > >> > > > > > was released in
May to patch vulnerabilities
found
> > in
> > >> >> 2.6.2
> > >> >> > > >> (listed
> > >> >> > > >> > > at
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > >
> > >> >> > > >> > >
> > >> >> > > >> >
> > >> >> > > >>
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > >> >> > > >> > > > > > )
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > If the
vulnerabilities you found are not the one
> > >> listed
> > >> >> and
> > >> >> > > still
> > >> >> > > >> > > > > > exist in 2.6.3,
please send any information to
> > >> >> > > >> > security(a)dotclear.net
> > >> >> > > >> > > > > > where you'll
reach several members of the team
(we
> > do
> > >> not
> > >> >> > use
> > >> >> > > a
> > >> >> > > >> GPG
> > >> >> > > >> > > > > > key).
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > xave, for the
Dotclear Team.
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > On Wed, Jun 25,
2014 at 5:10 AM, JPCERT/CC <
> > >> >> > vuls(a)jpcert.or.jp
> > >> >> > > >
> > >> >> > > >> > > wrote:
> > >> >> > > >> > > > > > > To whom it
may concern,
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Hello. This
is Noriko Takahashi from
JPCERT/CC
> > >> >> > > Vulnerability
> > >> >> > > >> > > > > > > Handling
Team. Please excuse the sudden
> contact.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > If
you're not familiar with us or our
> activities,
> > >> >> please
> > >> >> > > >> > > > > > > check the
following websites for more
> information.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> > >> >> > > >> > > > > > >
> http://www.jpcert.or.jp/english/vh/project.html
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> >
> > >> >> > >
> > >> >>
> > http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > >> >> > > >> > > > > > >
http://jvn.jp/en/
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > We have
received a report of a vulnerability
> found
> > >> in
> > >> >> the
> > >> >> > > >> > > > > > > product
"Dotclear 2.6.2" from a
researcher/user
> > >> here in
> > >> >> > > Japan
> > >> >> > > >> > > > > > > under the
vulnerability handling framework
> called
> > >> >> > > "Information
> > >> >> > > >> > > > > > > Security
Early Warning Partnership" and the
> > official
> > >> >> > > >> announcement
> > >> >> > > >> > > > > > > #235
"Software Vulnerability Related
Information
> > >> >> Handling
> > >> >> > > >> > Measures"
> > >> >> > > >> > > > > > > which were
designed by Ministry of Economy,
> Trade
> > >> and
> > >> >> > > Industry
> > >> >> > > >> > > > (METI),
> > >> >> > > >> > > > > > > a Japanese
cabinet.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > From the
website
> > >> >> > > >> > > > > > >
http://dotclear.org/contact
> > >> >> > > >> > > > > > > we found
this email address. We would like to
> > >> >> coordinate
> > >> >> > > with
> > >> >> > > >> you
> > >> >> > > >> > > > > > > to solve the
reported vulnerability, and your
> > >> >> cooperation
> > >> >> > > would
> > >> >> > > >> > be
> > >> >> > > >> > > > > > > greatly
appreciated.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Before we
provide you the details of the
> reported
> > >> >> > > >> vulnerability,
> > >> >> > > >> > > > > > > we would
like to know the appropriate
> > >> point-of-contact
> > >> >> > > person,
> > >> >> > > >> > > > > > > or
department/group/team to communicate in
> regards
> > >> to
> > >> >> this
> > >> >> > > >> issue.
> > >> >> > > >> > > > > > > It would be
greatly appreciated if you could
> > >> provide us
> > >> >> > the
> > >> >> > > >> below
> > >> >> > > >> > > > > > > information
at your earliest convenience.
> > >> >> > > >> > > > > > > -Name of
the person/team who is in charge of
> such
> > >> >> issues
> > >> >> > > >> > > > > > > -Email
address
> > >> >> > > >> > > > > > > -PGP key if
available
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Once we
receive your reply and and
> > point-of-contact
> > >> >> > > >> information,
> > >> >> > > >> > > > > > > we will then
send you the original
vulnerability
> > >> report
> > >> >> > and
> > >> >> > > the
> > >> >> > > >> > > > > > > details
either in a PGP encrypted message or
in
> a
> > >> >> password
> > >> >> > > >> > > protected
> > >> >> > > >> > > > > > > zip file.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > If you have
any questions or concerns, please
do
> > not
> > >> >> > > hesitate
> > >> >> > > >> > > > > > > to contact
us any time.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Thank you in
advance for your attention to
this
> > >> email.
> > >> >> > > >> > > > > > > We would
very much appreciate your prompt
reply.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Sincerely
yours,
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Noriko
Takahashi
> > >> >> > > >> > > > > > > Leader of
Vulnerability Handling Team
> > >> >> > > >> > > > > > > Information
Coordination Group
> > >> >> > > >> > > > >
> > >> >> > > >> >
> > >> >> >
> > >>
======================================================================
> > >> >> > > >> > > > > JPCERT Coordination
Center (JPCERT/CC)
> > >> >> > > >> > > > > TEL: +81-3-3518-4600
FAX: +81-3-3518-4602
EMAIL:
> > >> >> > > >> vuls(a)jpcert.or.jp
> > >> >> > > >> > > > > PGP key: 0x33E6021D:
B9 E8 68 35 2D 39 19 29 63
89
> 52
> > >> D4
> > >> >> F8
> > >> >> > 8D
> > >> >> > > 50
> > >> >> > > >> FC
> > >> >> > > >> > > > >
https://www.jpcert.or.jp/english
> http://jvn.jp/en/
> > >> >> > > >> > http://jvn.jp
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > --
> > >> >> > > >> > > > > Dotclear Team
> > >> >> > > >> > > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > > --
> > >> >> > > >> > > > Dotclear Team
> > >> >> > > >> > > > --
> > >> >> > > >> > > > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> > > >
http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> > > >
> > >> >> > > >> > > --
> > >> >> > > >> > > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> > >
http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> > >
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> > --
> > >> >> > > >> > Franck
> > >> >> > > >> > --
> > >> >> > > >> > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> > http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> >
> > >> >> > > >> --
> > >> >> > > >> Dev mailing list - Dev(a)list.dotclear.org
-
> > >> >> > > >> http://ml.dotclear.org/listinfo/dev
> > >> >> > > >>
> > >> >> > > > --
> > >> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > > http://ml.dotclear.org/listinfo/dev
> > >> >> > > --
> > >> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > > http://ml.dotclear.org/listinfo/dev
> > >> >> > >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > --
> > >> >> > Franck
> > >> >> > --
> > >> >> > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > http://ml.dotclear.org/listinfo/dev
> > >> >> >
> > >> >> --
> > >> >> Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> http://ml.dotclear.org/listinfo/dev
> > >> >>
> > >> >
> > >> >
> > >> --
> > >> Dev mailing list - Dev(a)list.dotclear.org -
> > >> http://ml.dotclear.org/listinfo/dev
> > >>
> > >
> > >
> > >
> > > --
> > > Franck
> > >
> >
> >
> >
> > --
> > Franck
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> > http://ml.dotclear.org/listinfo/dev
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Franck
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
11:07 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Les deux autres endroits sont, je pense, les boutons de pagination
(inc/admin/lib.pager.php)
2014-07-10 10:56 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
mmm c'est pas un peu bourrin? ça risque pas de péter les
recherches parfois
?
ce que je fais généralement, c'est deux variables: une "échappée" que
j'utilise dès que je veux écrire, une "non échappée" pour les appels
d'API.
Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois
un avec le form::field là, mais je vois pas les autres
On 10 July 2014 10:36, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
> J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez
> vérifier demain avec la nightly ? (branche 2.6)
>
>
> 2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
>
> > Where is your patch Julien ? :-D
> >
> >
> > 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> >
> > note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
> >>
> >>
> >> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
> >>
> >> > moi je vois en clair dans le source:
> >> >
> >> > <input type="submit" value="ok"
/></p><input type="hidden"
> >> name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a"
> /><input
> >> type="hidden" name="q" value=""><img
src=0
> onerror=alert(document.cookie)>"
> >> /><input type="hidden" name="qtype"
value="p" /></div></form><form
> >> action="/blog/admin/search.php"
method="get"><div
class="pager"><ul><li
> >> class="first no-link btn"><img
src="images/pagination/no-first.png"
> >> alt="Première page"/></li><li class="prev
no-link btn"><img
> >> src="images/pagination/no-previous.png" alt="Page
précédente"/></li><li
> >> class="active"><strong>Page 1 /
16</strong></li><li class="next
btn"><a
> >>
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
> >> src="images/pagination/next.png" alt="Page
suivante"/></a><span
> >> class="hidden">Page suivante</span></li><li
class="last btn"><a
> >>
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
> >> src="images/pagination/last.png" alt="Dernière
page"/></a><span
> >> class="hidden">Dernière page</span></li><li
class="direct-access">Aller
> à
> >> la page : <input type="text" size="3"
name="page" maxlength="10"
> /><input
> >> type="submit" value="ok" class="reset"
name="ok" /><input
type="hidden"
> >> name="q" value=""><img src=0
onerror=alert(document.cookie)>"
/><input
> >> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
> >> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
> >> page</h3>
> >> >
> >> >
> >> > (cherche "xd_check")
> >> >
> >> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien,
mais
je
> >> vois
> >> > quand même bien qu'on échappe pas l'entrée utilisateur alors
qu'on
le
> >> > devrait.
> >> >
> >> >
> >> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> >> >
> >> >> Re,
> >> >>
> >> >>
> >> >> 2014-07-08 17:28 GMT+02:00 Franck Paul <
carnet.franck.paul(a)gmail.com
> >:
> >> >>
> >> >> > Apparemment c'est un problème côté firefox, pas Dotclear.
les
> chaînes
> >> >> sont
> >> >> > à priori bien échappées à la recherche et à l'affichage.
> >> >> >
> >> >> > Et oui Franck, sinon le problème existerait quel que soit le
> >> navigateur.
> >> >>
> >> >>
> >> >>
> >> >> >
> >> >> > 2014-07-08 17:06 GMT+02:00 Philippe
<philippe(a)dissitou.org>:
> >> >> >
> >> >> > > Je reproduis avec Firefox seulement aussi, sur la
version 2.6.3
> et
> >> >> > 2.7-dev
> >> >> > > --
> >> >> > > Philippe
> >> >> > >
> >> >> > >
> >> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas
<nikrou77(a)gmail.com>:
> >> >> > > > Je reproduis aussi mais uniquement avec le panda
bleu ! :-)
> >> >> > > >
> >> >> > > >
> >> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<felash(a)gmail.com
>:
> >> >> > > >
> >> >> > > >> je reproduis sur mon blog (mais qui a pas la
dernière
version)
> >> >> > > >>
> >> >> > > >>
> >> >> > > >> On 8 July 2014 16:26, Franck Paul <
> carnet.franck.paul(a)gmail.com
> >> >
> >> >> > wrote:
> >> >> > > >>
> >> >> > > >> > JPCERT97966327
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg
<
> felash(a)gmail.com
> >> >:
> >> >> > > >> >
> >> >> > > >> > > faut le mot de passe :)
> >> >> > > >> > >
> >> >> > > >> > >
> >> >> > > >> > > On 8 July 2014 16:04, Dotclear
(contact) <
> >> contact(a)dotclear.net
> >> >> >
> >> >> > > wrote:
> >> >> > > >> > >
> >> >> > > >> > > > L'archive qui détaille un
peu tout :
> >> >> > > >> > > >
> >> >> >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > > 2014-07-08 15:08 GMT+02:00
Dotclear (contact) <
> >> >> > > contact(a)dotclear.net
> >> >> > > >> >:
> >> >> > > >> > > >
> >> >> > > >> > > > > Jour les gens,
> >> >> > > >> > > > >
> >> >> > > >> > > > > On a reçu ce matin un
rapport au sujet d'une faille
> XSS
> >> >> (voir
> >> >> > > >> > > ci-dessous,
> >> >> > > >> > > > > le mot de passe de
l'archive est JPCERT97966327)
mais
> je
> >> >> > > n'arrive
> >> >> > > >> > pas à
> >> >> > > >> > > > > reproduire la faille.
> >> >> > > >> > > > > Quelqu'un peut regarder
ça de son côté ?
> >> >> > > >> > > > >
> >> >> > > >> > > > > Franck
> >> >> > > >> > > > >
> >> >> > > >> > > > > ---------- Forwarded
message ----------
> >> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
> >> >> > > >> > > > > Date: 2014-07-08 4:36
GMT+02:00
> >> >> > > >> > > > > Subject: Re: Inquiry on
vulnerability found in
> Dotclear
> >> >> 2.6.3
> >> >> > > VN:
> >> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> >> >> > > >> > > > > To: Dotclear Development
Team <contact(a)dotclear.net
>
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > > Hello xave @ the Dotclear
Team,
> >> >> > > >> > > > >
> >> >> > > >> > > > > We have received a
vulnerability report for one of
> your
> >> >> > > products:
> >> >> > > >> > > > >
> >> >> > > >> > > > > - Dotclear 2.6.3
vulnerable to cross-site
scripting
> >> >> > > >> > > > >
> >> >> > > >> > > > > I have attached the details
of the reported
> >> vulnerability
> >> >> to
> >> >> > > this
> >> >> > > >> > > email.
> >> >> > > >> > > > > The password for the zip
file will be sent in a
> separate
> >> >> > email.
> >> >> > > >> > > > > The original report was
against version 2.6.2, but
the
> >> >> issue
> >> >> > was
> >> >> > > >> also
> >> >> > > >> > > > > verified to still exist in
2.6.3. Please see the
> report
> >> for
> >> >> > more
> >> >> > > >> > > details.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Please take a look at the
report and return to us
with
> >> the
> >> >> > > >> > information
> >> >> > > >> > > > > such as;
> >> >> > > >> > > > > -validate the products,
and whether the reported
> >> >> > vulnerability
> >> >> > > is
> >> >> > > >> > > > > confirmed or not
> >> >> > > >> > > > > -solutions (e.g., patch or
module update)
> >> >> > > >> > > > > -workarounds if any
> >> >> > > >> > > > > -estimated time for
creation of fixes
> >> >> > > >> > > > > -preferable date for
public release on your site
> >> >> > > >> > > > > *we will also publish an
advisory for this issue
on
> >> our
> >> >> > > >> > vulnerability
> >> >> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
> >> http://jvn.jp/en/,
> >> >> > > >> > > > > synchronizing with your
release schedule.
> >> >> > > >> > > > >
> >> >> > > >> > > > > **Caution**
> >> >> > > >> > > > > We have assigned the
tracking number for this
> >> >> vulnerability
> >> >> > > >> issue;
> >> >> > > >> > > > > [VN: JVN#61637002 / TN:
JPCERT#97966327]
> >> >> > > >> > > > > Please be sure to include
these numbers in the
> subject
> >> >> line
> >> >> > > for
> >> >> > > >> > > > > future communication with
us. We appreciate your
> >> >> > cooperation
> >> >> > > on
> >> >> > > >> > > this.
> >> >> > > >> > > > >
> >> >> > > >> > > > > If you have any questions
and concerns, please do
not
> >> >> hesitate
> >> >> > > to
> >> >> > > >> > > > > contact us any time.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Thank you in advance for
your attention on this
> matter.
> >> >> > > >> > > > > We are looking forward to
hearing from you.
> >> >> > > >> > > > >
> >> >> > > >> > > > > Sincerely yours,
> >> >> > > >> > > > >
> >> >> > > >> > > > > Takayuki Uchiyama
> >> >> > > >> > > > > JPCERT/CC Vulnerability
Handling Team
> >> >> > > >> > > > >
> >> >> > > >> > > > > > Hello,
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > Please be aware that
Dotclear 2.6.2 is not the
> latest
> >> >> > version:
> >> >> > > >> > v2.6.3
> >> >> > > >> > > > > > was released in May to
patch vulnerabilities found
> in
> >> >> 2.6.2
> >> >> > > >> (listed
> >> >> > > >> > > at
> >> >> > > >> > > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > >
> >> >> > > >> > >
> >> >> > > >> >
> >> >> > > >>
> >> >> > >
> >> >> >
> >> >>
> >>
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> >> >> > > >> > > > > > )
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > If the vulnerabilities
you found are not the one
> >> listed
> >> >> and
> >> >> > > still
> >> >> > > >> > > > > > exist in 2.6.3, please
send any information to
> >> >> > > >> > security(a)dotclear.net
> >> >> > > >> > > > > > where you'll reach
several members of the team (we
> do
> >> not
> >> >> > use
> >> >> > > a
> >> >> > > >> GPG
> >> >> > > >> > > > > > key).
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > xave, for the Dotclear
Team.
> >> >> > > >> > > > > >
> >> >> > > >> > > > > >
> >> >> > > >> > > > > >
> >> >> > > >> > > > > > On Wed, Jun 25, 2014
at 5:10 AM, JPCERT/CC <
> >> >> > vuls(a)jpcert.or.jp
> >> >> > > >
> >> >> > > >> > > wrote:
> >> >> > > >> > > > > > > To whom it may
concern,
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Hello. This is
Noriko Takahashi from JPCERT/CC
> >> >> > > Vulnerability
> >> >> > > >> > > > > > > Handling Team.
Please excuse the sudden
contact.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > If you're not
familiar with us or our
activities,
> >> >> please
> >> >> > > >> > > > > > > check the
following websites for more
information.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/vh/project.html
> >> >> > > >> > > > > > >
> >> >> > > >> > > > >
> >> >> > > >> >
> >> >> > >
> >> >>
> http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> >> >> > > >> > > > > > >
http://jvn.jp/en/
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > We have received
a report of a vulnerability
found
> >> in
> >> >> the
> >> >> > > >> > > > > > > product
"Dotclear 2.6.2" from a researcher/user
> >> here in
> >> >> > > Japan
> >> >> > > >> > > > > > > under the
vulnerability handling framework
called
> >> >> > > "Information
> >> >> > > >> > > > > > > Security Early
Warning Partnership" and the
> official
> >> >> > > >> announcement
> >> >> > > >> > > > > > > #235
"Software Vulnerability Related Information
> >> >> Handling
> >> >> > > >> > Measures"
> >> >> > > >> > > > > > > which were
designed by Ministry of Economy,
Trade
> >> and
> >> >> > > Industry
> >> >> > > >> > > > (METI),
> >> >> > > >> > > > > > > a Japanese
cabinet.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > From the website
> >> >> > > >> > > > > > >
http://dotclear.org/contact
> >> >> > > >> > > > > > > we found this
email address. We would like to
> >> >> coordinate
> >> >> > > with
> >> >> > > >> you
> >> >> > > >> > > > > > > to solve the
reported vulnerability, and your
> >> >> cooperation
> >> >> > > would
> >> >> > > >> > be
> >> >> > > >> > > > > > > greatly
appreciated.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Before we provide
you the details of the
reported
> >> >> > > >> vulnerability,
> >> >> > > >> > > > > > > we would like to
know the appropriate
> >> point-of-contact
> >> >> > > person,
> >> >> > > >> > > > > > > or
department/group/team to communicate in
regards
> >> to
> >> >> this
> >> >> > > >> issue.
> >> >> > > >> > > > > > > It would be
greatly appreciated if you could
> >> provide us
> >> >> > the
> >> >> > > >> below
> >> >> > > >> > > > > > > information at
your earliest convenience.
> >> >> > > >> > > > > > > -Name of the
person/team who is in charge of
such
> >> >> issues
> >> >> > > >> > > > > > > -Email address
> >> >> > > >> > > > > > > -PGP key if
available
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Once we receive
your reply and and
> point-of-contact
> >> >> > > >> information,
> >> >> > > >> > > > > > > we will then send
you the original vulnerability
> >> report
> >> >> > and
> >> >> > > the
> >> >> > > >> > > > > > > details either in
a PGP encrypted message or in
a
> >> >> password
> >> >> > > >> > > protected
> >> >> > > >> > > > > > > zip file.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > If you have any
questions or concerns, please do
> not
> >> >> > > hesitate
> >> >> > > >> > > > > > > to contact us any
time.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Thank you in
advance for your attention to this
> >> email.
> >> >> > > >> > > > > > > We would very
much appreciate your prompt reply.
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Sincerely yours,
> >> >> > > >> > > > > > >
> >> >> > > >> > > > > > > Noriko Takahashi
> >> >> > > >> > > > > > > Leader of
Vulnerability Handling Team
> >> >> > > >> > > > > > > Information
Coordination Group
> >> >> > > >> > > > >
> >> >> > > >> >
> >> >> >
> >> ======================================================================
> >> >> > > >> > > > > JPCERT Coordination Center
(JPCERT/CC)
> >> >> > > >> > > > > TEL: +81-3-3518-4600 FAX:
+81-3-3518-4602 EMAIL:
> >> >> > > >> vuls(a)jpcert.or.jp
> >> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8
68 35 2D 39 19 29 63 89
52
> >> D4
> >> >> F8
> >> >> > 8D
> >> >> > > 50
> >> >> > > >> FC
> >> >> > > >> > > > >
https://www.jpcert.or.jp/english
http://jvn.jp/en/
> >> >> > > >> > http://jvn.jp
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > >
> >> >> > > >> > > > > --
> >> >> > > >> > > > > Dotclear Team
> >> >> > > >> > > > >
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > >
> >> >> > > >> > > > --
> >> >> > > >> > > > Dotclear Team
> >> >> > > >> > > > --
> >> >> > > >> > > > Dev mailing list -
Dev(a)list.dotclear.org -
> >> >> > > >> > > >
http://ml.dotclear.org/listinfo/dev
> >> >> > > >> > > >
> >> >> > > >> > > --
> >> >> > > >> > > Dev mailing list -
Dev(a)list.dotclear.org -
> >> >> > > >> > > http://ml.dotclear.org/listinfo/dev
> >> >> > > >> > >
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> >
> >> >> > > >> > --
> >> >> > > >> > Franck
> >> >> > > >> > --
> >> >> > > >> > Dev mailing list - Dev(a)list.dotclear.org
-
> >> >> > > >> > http://ml.dotclear.org/listinfo/dev
> >> >> > > >> >
> >> >> > > >> --
> >> >> > > >> Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > > >> http://ml.dotclear.org/listinfo/dev
> >> >> > > >>
> >> >> > > > --
> >> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > > http://ml.dotclear.org/listinfo/dev
> >> >> > > --
> >> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > > http://ml.dotclear.org/listinfo/dev
> >> >> > >
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Franck
> >> >> > --
> >> >> > Dev mailing list - Dev(a)list.dotclear.org -
> >> >> > http://ml.dotclear.org/listinfo/dev
> >> >> >
> >> >> --
> >> >> Dev mailing list - Dev(a)list.dotclear.org -
> >> >> http://ml.dotclear.org/listinfo/dev
> >> >>
> >> >
> >> >
> >> --
> >> Dev mailing list - Dev(a)list.dotclear.org -
> >> http://ml.dotclear.org/listinfo/dev
> >>
> >
> >
> >
> > --
> > Franck
> >
>
>
>
> --
> Franck
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
--
Franck
11:38 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Cela dit, c'est pas si bourrin que ça ma modif et ça n'empêche pas la
recherche, y compris de termes comme "<img src=".
Je viens de faire l'essai sur le code corrigé et ça fonctionne plutôt bien.
2014-07-10 11:07 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
Les deux autres endroits sont, je pense, les boutons de pagination
(inc/admin/lib.pager.php)
2014-07-10 10:56 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
mmm c'est pas un peu bourrin? ça risque pas de péter les recherches parfois
> ?
>
> ce que je fais généralement, c'est deux variables: une "échappée" que
> j'utilise dès que je veux écrire, une "non échappée" pour les appels
> d'API.
>
> Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois
> un avec le form::field là, mais je vois pas les autres
>
>
> On 10 July 2014 10:36, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
>
> > J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez
> > vérifier demain avec la nightly ? (branche 2.6)
> >
> >
> > 2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
> >
> > > Where is your patch Julien ? :-D
> > >
> > >
> > > 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> > >
> > > note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
> > >>
> > >>
> > >> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
> > >>
> > >> > moi je vois en clair dans le source:
> > >> >
> > >> > <input type="submit" value="ok"
/></p><input type="hidden"
> > >> name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a"
> > /><input
> > >> type="hidden" name="q"
value=""><img src=0
> > onerror=alert(document.cookie)>"
> > >> /><input type="hidden" name="qtype"
value="p" /></div></form><form
> > >> action="/blog/admin/search.php"
method="get"><div
> class="pager"><ul><li
> > >> class="first no-link btn"><img
src="images/pagination/no-first.png"
> > >> alt="Première page"/></li><li class="prev
no-link btn"><img
> > >> src="images/pagination/no-previous.png" alt="Page
> précédente"/></li><li
> > >> class="active"><strong>Page 1 /
16</strong></li><li class="next
> btn"><a
> > >>
> >
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
> > >> src="images/pagination/next.png" alt="Page
suivante"/></a><span
> > >> class="hidden">Page suivante</span></li><li
class="last btn"><a
> > >>
> >
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
> > >> src="images/pagination/last.png" alt="Dernière
page"/></a><span
> > >> class="hidden">Dernière
page</span></li><li
> class="direct-access">Aller
> > à
> > >> la page : <input type="text" size="3"
name="page" maxlength="10"
> > /><input
> > >> type="submit" value="ok" class="reset"
name="ok" /><input
> type="hidden"
> > >> name="q" value=""><img src=0
onerror=alert(document.cookie)>"
> /><input
> > >> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
> > >> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
> > >> page</h3>
> > >> >
> > >> >
> > >> > (cherche "xd_check")
> > >> >
> > >> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien,
mais
> je
> > >> vois
> > >> > quand même bien qu'on échappe pas l'entrée utilisateur
alors qu'on
> le
> > >> > devrait.
> > >> >
> > >> >
> > >> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> > >> >
> > >> >> Re,
> > >> >>
> > >> >>
> > >> >> 2014-07-08 17:28 GMT+02:00 Franck Paul <
> carnet.franck.paul(a)gmail.com
> > >:
> > >> >>
> > >> >> > Apparemment c'est un problème côté firefox, pas
Dotclear. les
> > chaînes
> > >> >> sont
> > >> >> > à priori bien échappées à la recherche et à
l'affichage.
> > >> >> >
> > >> >> > Et oui Franck, sinon le problème existerait quel que soit
le
> > >> navigateur.
> > >> >>
> > >> >>
> > >> >>
> > >> >> >
> > >> >> > 2014-07-08 17:06 GMT+02:00 Philippe
<philippe(a)dissitou.org>:
> > >> >> >
> > >> >> > > Je reproduis avec Firefox seulement aussi, sur la
version
> 2.6.3
> > et
> > >> >> > 2.7-dev
> > >> >> > > --
> > >> >> > > Philippe
> > >> >> > >
> > >> >> > >
> > >> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas
<nikrou77(a)gmail.com>:
> > >> >> > > > Je reproduis aussi mais uniquement avec le
panda bleu ! :-)
> > >> >> > > >
> > >> >> > > >
> > >> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<
> felash(a)gmail.com>:
> > >> >> > > >
> > >> >> > > >> je reproduis sur mon blog (mais qui a pas
la dernière
> version)
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >> On 8 July 2014 16:26, Franck Paul <
> > carnet.franck.paul(a)gmail.com
> > >> >
> > >> >> > wrote:
> > >> >> > > >>
> > >> >> > > >> > JPCERT97966327
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien
Wajsberg <
> > felash(a)gmail.com
> > >> >:
> > >> >> > > >> >
> > >> >> > > >> > > faut le mot de passe :)
> > >> >> > > >> > >
> > >> >> > > >> > >
> > >> >> > > >> > > On 8 July 2014 16:04, Dotclear
(contact) <
> > >> contact(a)dotclear.net
> > >> >> >
> > >> >> > > wrote:
> > >> >> > > >> > >
> > >> >> > > >> > > > L'archive qui détaille
un peu tout :
> > >> >> > > >> > > >
> > >> >> >
> https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > > 2014-07-08 15:08 GMT+02:00
Dotclear (contact) <
> > >> >> > > contact(a)dotclear.net
> > >> >> > > >> >:
> > >> >> > > >> > > >
> > >> >> > > >> > > > > Jour les gens,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > On a reçu ce matin un
rapport au sujet d'une faille
> > XSS
> > >> >> (voir
> > >> >> > > >> > > ci-dessous,
> > >> >> > > >> > > > > le mot de passe de
l'archive est JPCERT97966327)
> mais
> > je
> > >> >> > > n'arrive
> > >> >> > > >> > pas à
> > >> >> > > >> > > > > reproduire la faille.
> > >> >> > > >> > > > > Quelqu'un peut
regarder ça de son côté ?
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Franck
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > ---------- Forwarded
message ----------
> > >> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
> > >> >> > > >> > > > > Date: 2014-07-08 4:36
GMT+02:00
> > >> >> > > >> > > > > Subject: Re: Inquiry on
vulnerability found in
> > Dotclear
> > >> >> 2.6.3
> > >> >> > > VN:
> > >> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> > >> >> > > >> > > > > To: Dotclear
Development Team <
> contact(a)dotclear.net>
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Hello xave @ the
Dotclear Team,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > We have received a
vulnerability report for one of
> > your
> > >> >> > > products:
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > - Dotclear 2.6.3
vulnerable to cross-site
> scripting
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > I have attached the
details of the reported
> > >> vulnerability
> > >> >> to
> > >> >> > > this
> > >> >> > > >> > > email.
> > >> >> > > >> > > > > The password for the
zip file will be sent in a
> > separate
> > >> >> > email.
> > >> >> > > >> > > > > The original report was
against version 2.6.2, but
> the
> > >> >> issue
> > >> >> > was
> > >> >> > > >> also
> > >> >> > > >> > > > > verified to still exist
in 2.6.3. Please see the
> > report
> > >> for
> > >> >> > more
> > >> >> > > >> > > details.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Please take a look at
the report and return to us
> with
> > >> the
> > >> >> > > >> > information
> > >> >> > > >> > > > > such as;
> > >> >> > > >> > > > > -validate the
products, and whether the reported
> > >> >> > vulnerability
> > >> >> > > is
> > >> >> > > >> > > > > confirmed or not
> > >> >> > > >> > > > > -solutions (e.g.,
patch or module update)
> > >> >> > > >> > > > > -workarounds if any
> > >> >> > > >> > > > > -estimated time for
creation of fixes
> > >> >> > > >> > > > > -preferable date for
public release on your site
> > >> >> > > >> > > > > *we will also publish
an advisory for this issue
> on
> > >> our
> > >> >> > > >> > vulnerability
> > >> >> > > >> > > > > knowledge base, JVN,
http://jvn.jp,
> > >> http://jvn.jp/en/,
> > >> >> > > >> > > > > synchronizing with
your release schedule.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > **Caution**
> > >> >> > > >> > > > > We have assigned the
tracking number for this
> > >> >> vulnerability
> > >> >> > > >> issue;
> > >> >> > > >> > > > > [VN: JVN#61637002 /
TN: JPCERT#97966327]
> > >> >> > > >> > > > > Please be sure to
include these numbers in the
> > subject
> > >> >> line
> > >> >> > > for
> > >> >> > > >> > > > > future communication
with us. We appreciate your
> > >> >> > cooperation
> > >> >> > > on
> > >> >> > > >> > > this.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > If you have any
questions and concerns, please do
> not
> > >> >> hesitate
> > >> >> > > to
> > >> >> > > >> > > > > contact us any time.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Thank you in advance
for your attention on this
> > matter.
> > >> >> > > >> > > > > We are looking forward
to hearing from you.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Sincerely yours,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Takayuki Uchiyama
> > >> >> > > >> > > > > JPCERT/CC Vulnerability
Handling Team
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > > Hello,
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > Please be aware
that Dotclear 2.6.2 is not the
> > latest
> > >> >> > version:
> > >> >> > > >> > v2.6.3
> > >> >> > > >> > > > > > was released in
May to patch vulnerabilities
> found
> > in
> > >> >> 2.6.2
> > >> >> > > >> (listed
> > >> >> > > >> > > at
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > >
> > >> >> > > >> > >
> > >> >> > > >> >
> > >> >> > > >>
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
> http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > >> >> > > >> > > > > > )
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > If the
vulnerabilities you found are not the one
> > >> listed
> > >> >> and
> > >> >> > > still
> > >> >> > > >> > > > > > exist in 2.6.3,
please send any information to
> > >> >> > > >> > security(a)dotclear.net
> > >> >> > > >> > > > > > where you'll
reach several members of the team
> (we
> > do
> > >> not
> > >> >> > use
> > >> >> > > a
> > >> >> > > >> GPG
> > >> >> > > >> > > > > > key).
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > xave, for the
Dotclear Team.
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > On Wed, Jun 25,
2014 at 5:10 AM, JPCERT/CC <
> > >> >> > vuls(a)jpcert.or.jp
> > >> >> > > >
> > >> >> > > >> > > wrote:
> > >> >> > > >> > > > > > > To whom it
may concern,
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Hello. This
is Noriko Takahashi from JPCERT/CC
> > >> >> > > Vulnerability
> > >> >> > > >> > > > > > > Handling
Team. Please excuse the sudden
> contact.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > If you're
not familiar with us or our
> activities,
> > >> >> please
> > >> >> > > >> > > > > > > check the
following websites for more
> information.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> > >> >> > > >> > > > > > >
> http://www.jpcert.or.jp/english/vh/project.html
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> >
> > >> >> > >
> > >> >>
> > http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > >> >> > > >> > > > > > >
http://jvn.jp/en/
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > We have
received a report of a vulnerability
> found
> > >> in
> > >> >> the
> > >> >> > > >> > > > > > > product
"Dotclear 2.6.2" from a researcher/user
> > >> here in
> > >> >> > > Japan
> > >> >> > > >> > > > > > > under the
vulnerability handling framework
> called
> > >> >> > > "Information
> > >> >> > > >> > > > > > > Security
Early Warning Partnership" and the
> > official
> > >> >> > > >> announcement
> > >> >> > > >> > > > > > > #235
"Software Vulnerability Related
> Information
> > >> >> Handling
> > >> >> > > >> > Measures"
> > >> >> > > >> > > > > > > which were
designed by Ministry of Economy,
> Trade
> > >> and
> > >> >> > > Industry
> > >> >> > > >> > > > (METI),
> > >> >> > > >> > > > > > > a Japanese
cabinet.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > From the
website
> > >> >> > > >> > > > > > >
http://dotclear.org/contact
> > >> >> > > >> > > > > > > we found this
email address. We would like to
> > >> >> coordinate
> > >> >> > > with
> > >> >> > > >> you
> > >> >> > > >> > > > > > > to solve the
reported vulnerability, and your
> > >> >> cooperation
> > >> >> > > would
> > >> >> > > >> > be
> > >> >> > > >> > > > > > > greatly
appreciated.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Before we
provide you the details of the
> reported
> > >> >> > > >> vulnerability,
> > >> >> > > >> > > > > > > we would like
to know the appropriate
> > >> point-of-contact
> > >> >> > > person,
> > >> >> > > >> > > > > > > or
department/group/team to communicate in
> regards
> > >> to
> > >> >> this
> > >> >> > > >> issue.
> > >> >> > > >> > > > > > > It would be
greatly appreciated if you could
> > >> provide us
> > >> >> > the
> > >> >> > > >> below
> > >> >> > > >> > > > > > > information
at your earliest convenience.
> > >> >> > > >> > > > > > > -Name of the
person/team who is in charge of
> such
> > >> >> issues
> > >> >> > > >> > > > > > > -Email
address
> > >> >> > > >> > > > > > > -PGP key if
available
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Once we
receive your reply and and
> > point-of-contact
> > >> >> > > >> information,
> > >> >> > > >> > > > > > > we will then
send you the original
> vulnerability
> > >> report
> > >> >> > and
> > >> >> > > the
> > >> >> > > >> > > > > > > details
either in a PGP encrypted message or
> in a
> > >> >> password
> > >> >> > > >> > > protected
> > >> >> > > >> > > > > > > zip file.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > If you have
any questions or concerns, please
> do
> > not
> > >> >> > > hesitate
> > >> >> > > >> > > > > > > to contact us
any time.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Thank you in
advance for your attention to this
> > >> email.
> > >> >> > > >> > > > > > > We would very
much appreciate your prompt
> reply.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Sincerely
yours,
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Noriko
Takahashi
> > >> >> > > >> > > > > > > Leader of
Vulnerability Handling Team
> > >> >> > > >> > > > > > > Information
Coordination Group
> > >> >> > > >> > > > >
> > >> >> > > >> >
> > >> >> >
> > >>
> ======================================================================
> > >> >> > > >> > > > > JPCERT Coordination
Center (JPCERT/CC)
> > >> >> > > >> > > > > TEL: +81-3-3518-4600
FAX: +81-3-3518-4602 EMAIL:
> > >> >> > > >> vuls(a)jpcert.or.jp
> > >> >> > > >> > > > > PGP key: 0x33E6021D: B9
E8 68 35 2D 39 19 29 63
> 89 52
> > >> D4
> > >> >> F8
> > >> >> > 8D
> > >> >> > > 50
> > >> >> > > >> FC
> > >> >> > > >> > > > >
https://www.jpcert.or.jp/english
> http://jvn.jp/en/
> > >> >> > > >> > http://jvn.jp
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > --
> > >> >> > > >> > > > > Dotclear Team
> > >> >> > > >> > > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > > --
> > >> >> > > >> > > > Dotclear Team
> > >> >> > > >> > > > --
> > >> >> > > >> > > > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> > > >
http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> > > >
> > >> >> > > >> > > --
> > >> >> > > >> > > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> > >
http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> > >
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> > --
> > >> >> > > >> > Franck
> > >> >> > > >> > --
> > >> >> > > >> > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> > http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> >
> > >> >> > > >> --
> > >> >> > > >> Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > > >> http://ml.dotclear.org/listinfo/dev
> > >> >> > > >>
> > >> >> > > > --
> > >> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > > http://ml.dotclear.org/listinfo/dev
> > >> >> > > --
> > >> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > > http://ml.dotclear.org/listinfo/dev
> > >> >> > >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > --
> > >> >> > Franck
> > >> >> > --
> > >> >> > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > http://ml.dotclear.org/listinfo/dev
> > >> >> >
> > >> >> --
> > >> >> Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> http://ml.dotclear.org/listinfo/dev
> > >> >>
> > >> >
> > >> >
> > >> --
> > >> Dev mailing list - Dev(a)list.dotclear.org -
> > >> http://ml.dotclear.org/listinfo/dev
> > >>
> > >
> > >
> > >
> > > --
> > > Franck
> > >
> >
> >
> >
> > --
> > Franck
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> > http://ml.dotclear.org/listinfo/dev
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
> http://ml.dotclear.org/listinfo/dev
>
--
Franck
--
Franck
5:06 p.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
2014-07-10 11:38 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
Cela dit, c'est pas si bourrin que ça ma modif et ça
n'empêche pas la
recherche, y compris de termes comme "<img src=".
Je viens de faire l'essai sur le code corrigé et ça fonctionne plutôt bien.
Hello,
Les termes recherchés sont correctement échappés dans le core, c'est juste
la page search.php de l'admin qui doit échapper correctement pour
l'affichage.
J'aurais tendance à placer le $q = html::escapeHTML($q); avant de fermer
le if($q), et pas en début. Cela évitera le double échappement dans le
core, et restera blindé pour la suite.
(Désolé, j'aurais bien patché/testé, mais depuis une tente au fond des
Cévennes, accessoirement sous la pluie, c'est pas très simple ;)
--
Bruno
8:47 a.m.
New subject: Inquiry on vulnerability found in Dotclear 2.6.3 VN: JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327
Salut Bruno,
Pour ta remarque (déplacement vers le bas), ça pose problème avec les
listes (essentiellement la pagination).
Quant à la recherche dans le core, la chaîne est splitée et échappée au
sens de SQL, mais pas au sens HTML.
Pour ces deux raisons, je préconise de laisser ma modif en l'état.
Telle qu'elle a été commitée, une recherche de "<img src=" fonctionne
comme
il faut sur un panel de 1500 billets : 1 billet est retourné et c'est
conforme (les deux chaînes <img et src= sont bien présentes dans le billet).
Si je déplace ma modif, je récupère les 1500 billets et la pagination est
polluée.
Franck
Le 12 juillet 2014 17:06, Bruno <dsls(a)morefnu.org> a écrit :
2014-07-10 11:38 GMT+02:00 Franck Paul
<carnet.franck.paul(a)gmail.com>:
> Cela dit, c'est pas si bourrin que ça ma modif et ça n'empêche pas la
> recherche, y compris de termes comme "<img src=".
>
> Je viens de faire l'essai sur le code corrigé et ça fonctionne plutôt
bien.
>
>
Hello,
Les termes recherchés sont correctement échappés dans le core, c'est juste
la page search.php de l'admin qui doit échapper correctement pour
l'affichage.
J'aurais tendance à placer le $q = html::escapeHTML($q); avant de fermer
le if($q), et pas en début. Cela évitera le double échappement dans le
core, et restera blindé pour la suite.
(Désolé, j'aurais bien patché/testé, mais depuis une tente au fond des
Cévennes, accessoirement sous la pluie, c'est pas très simple ;)
--
Bruno
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev
--
Franck
3585
days inactive
3590
days old
19 comments
6 participants
participants (6)
-
Bruno -
Dotclear (contact) -
Franck Paul -
Julien Wajsberg -
Nicolas -
Philippe