Si tu me trouves les 3 endroits où on écrit le truc, je veux bien faire un
patch, mais vu comme je connais bien le code (ou pas) j'ai pas vraiment le
temps de chercher :/
On 10 July 2014 11:03, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
Si c'est bourrin je l'admets, mais devant l'avalanche de
patchs proposés,
j'ai paré au plus pressé.
2014-07-10 10:56 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> mmm c'est pas un peu bourrin? ça risque pas de péter les recherches
parfois
> ?
>
> ce que je fais généralement, c'est deux variables: une "échappée" que
> j'utilise dès que je veux écrire, une "non échappée" pour les appels
d'API.
>
> Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois
> un avec le form::field là, mais je vois pas les autres
>
>
> On 10 July 2014 10:36, Franck Paul <carnet.franck.paul(a)gmail.com> wrote:
>
> > J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez
> > vérifier demain avec la nightly ? (branche 2.6)
> >
> >
> > 2014-07-10 8:11 GMT+02:00 Franck Paul <carnet.franck.paul(a)gmail.com>:
> >
> > > Where is your patch Julien ? :-D
> > >
> > >
> > > 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <felash(a)gmail.com>:
> > >
> > > note qu'il y a visiblement 3 endroits où on l'affiche ainsi.
> > >>
> > >>
> > >> On 9 July 2014 11:57, Julien Wajsberg <felash(a)gmail.com> wrote:
> > >>
> > >> > moi je vois en clair dans le source:
> > >> >
> > >> > <input type="submit" value="ok"
/></p><input type="hidden"
> > >> name="xd_check"
value="e583662b0e24493bb6d9e67cdfdc03140104694a"
> > /><input
> > >> type="hidden" name="q"
value=""><img src=0
> > onerror=alert(document.cookie)>"
> > >> /><input type="hidden" name="qtype"
value="p" /></div></form><form
> > >> action="/blog/admin/search.php"
method="get"><div
> class="pager"><ul><li
> > >> class="first no-link btn"><img
src="images/pagination/no-first.png"
> > >> alt="Première page"/></li><li class="prev
no-link btn"><img
> > >> src="images/pagination/no-previous.png" alt="Page
> précédente"/></li><li
> > >> class="active"><strong>Page 1 /
16</strong></li><li class="next
> btn"><a
> > >>
> >
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img
> > >> src="images/pagination/next.png" alt="Page
suivante"/></a><span
> > >> class="hidden">Page
suivante</span></li><li class="last btn"><a
> > >>
> >
>
href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img
> > >> src="images/pagination/last.png" alt="Dernière
page"/></a><span
> > >> class="hidden">Dernière
page</span></li><li
> class="direct-access">Aller
> > à
> > >> la page : <input type="text" size="3"
name="page" maxlength="10"
> > /><input
> > >> type="submit" value="ok" class="reset"
name="ok" /><input
> type="hidden"
> > >> name="q" value=""><img src=0
onerror=alert(document.cookie)>"
> /><input
> > >> type="hidden" name="qtype" value="p"
/></li></ul></div></form><div
> > >> id="help"><hr /><div class="help-content
clear"><h3>Aide pour cette
> > >> page</h3>
> > >> >
> > >> >
> > >> > (cherche "xd_check")
> > >> >
> > >> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien,
mais
> je
> > >> vois
> > >> > quand même bien qu'on échappe pas l'entrée utilisateur
alors qu'on
> le
> > >> > devrait.
> > >> >
> > >> >
> > >> > On 8 July 2014 20:23, Nicolas <nikrou77(a)gmail.com> wrote:
> > >> >
> > >> >> Re,
> > >> >>
> > >> >>
> > >> >> 2014-07-08 17:28 GMT+02:00 Franck Paul <
> carnet.franck.paul(a)gmail.com
> > >:
> > >> >>
> > >> >> > Apparemment c'est un problème côté firefox, pas
Dotclear. les
> > chaînes
> > >> >> sont
> > >> >> > à priori bien échappées à la recherche et à
l'affichage.
> > >> >> >
> > >> >> > Et oui Franck, sinon le problème existerait quel que
soit le
> > >> navigateur.
> > >> >>
> > >> >>
> > >> >>
> > >> >> >
> > >> >> > 2014-07-08 17:06 GMT+02:00 Philippe
<philippe(a)dissitou.org>:
> > >> >> >
> > >> >> > > Je reproduis avec Firefox seulement aussi, sur la
version
2.6.3
> > et
> > >> >> > 2.7-dev
> > >> >> > > --
> > >> >> > > Philippe
> > >> >> > >
> > >> >> > >
> > >> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas
<nikrou77(a)gmail.com>:
> > >> >> > > > Je reproduis aussi mais uniquement avec le
panda bleu ! :-)
> > >> >> > > >
> > >> >> > > >
> > >> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg
<
felash(a)gmail.com
> >:
> > >> >> > > >
> > >> >> > > >> je reproduis sur mon blog (mais qui a pas
la dernière
> version)
> > >> >> > > >>
> > >> >> > > >>
> > >> >> > > >> On 8 July 2014 16:26, Franck Paul <
> > carnet.franck.paul(a)gmail.com
> > >> >
> > >> >> > wrote:
> > >> >> > > >>
> > >> >> > > >> > JPCERT97966327
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien
Wajsberg <
> > felash(a)gmail.com
> > >> >:
> > >> >> > > >> >
> > >> >> > > >> > > faut le mot de passe :)
> > >> >> > > >> > >
> > >> >> > > >> > >
> > >> >> > > >> > > On 8 July 2014 16:04, Dotclear
(contact) <
> > >> contact(a)dotclear.net
> > >> >> >
> > >> >> > > wrote:
> > >> >> > > >> > >
> > >> >> > > >> > > > L'archive qui détaille
un peu tout :
> > >> >> > > >> > > >
> > >> >> >
https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > > 2014-07-08 15:08 GMT+02:00
Dotclear (contact) <
> > >> >> > > contact(a)dotclear.net
> > >> >> > > >> >:
> > >> >> > > >> > > >
> > >> >> > > >> > > > > Jour les gens,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > On a reçu ce matin un
rapport au sujet d'une
faille
> > XSS
> > >> >> (voir
> > >> >> > > >> > > ci-dessous,
> > >> >> > > >> > > > > le mot de passe de
l'archive est JPCERT97966327)
> mais
> > je
> > >> >> > > n'arrive
> > >> >> > > >> > pas à
> > >> >> > > >> > > > > reproduire la faille.
> > >> >> > > >> > > > > Quelqu'un peut
regarder ça de son côté ?
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Franck
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > ---------- Forwarded
message ----------
> > >> >> > > >> > > > > From: JPCERT/CC
<vuls(a)jpcert.or.jp>
> > >> >> > > >> > > > > Date: 2014-07-08 4:36
GMT+02:00
> > >> >> > > >> > > > > Subject: Re: Inquiry
on vulnerability found in
> > Dotclear
> > >> >> 2.6.3
> > >> >> > > VN:
> > >> >> > > >> > > > > JVN#61637002 / TN: JP
CERT#97966327JPCERT#97966327
> > >> >> > > >> > > > > To: Dotclear
Development Team <
contact(a)dotclear.net
> >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Hello xave @ the
Dotclear Team,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > We have received a
vulnerability report for one of
> > your
> > >> >> > > products:
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > - Dotclear 2.6.3
vulnerable to cross-site
> scripting
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > I have attached the
details of the reported
> > >> vulnerability
> > >> >> to
> > >> >> > > this
> > >> >> > > >> > > email.
> > >> >> > > >> > > > > The password for the
zip file will be sent in a
> > separate
> > >> >> > email.
> > >> >> > > >> > > > > The original report
was against version 2.6.2, but
> the
> > >> >> issue
> > >> >> > was
> > >> >> > > >> also
> > >> >> > > >> > > > > verified to still
exist in 2.6.3. Please see the
> > report
> > >> for
> > >> >> > more
> > >> >> > > >> > > details.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Please take a look at
the report and return to us
> with
> > >> the
> > >> >> > > >> > information
> > >> >> > > >> > > > > such as;
> > >> >> > > >> > > > > -validate the
products, and whether the reported
> > >> >> > vulnerability
> > >> >> > > is
> > >> >> > > >> > > > > confirmed or not
> > >> >> > > >> > > > > -solutions (e.g.,
patch or module update)
> > >> >> > > >> > > > > -workarounds if any
> > >> >> > > >> > > > > -estimated time for
creation of fixes
> > >> >> > > >> > > > > -preferable date for
public release on your site
> > >> >> > > >> > > > > *we will also
publish an advisory for this issue
> on
> > >> our
> > >> >> > > >> > vulnerability
> > >> >> > > >> > > > > knowledge base,
JVN,
http://jvn.jp,
> > >>
http://jvn.jp/en/,
> > >> >> > > >> > > > > synchronizing with
your release schedule.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > **Caution**
> > >> >> > > >> > > > > We have assigned the
tracking number for this
> > >> >> vulnerability
> > >> >> > > >> issue;
> > >> >> > > >> > > > > [VN: JVN#61637002
/ TN: JPCERT#97966327]
> > >> >> > > >> > > > > Please be sure to
include these numbers in the
> > subject
> > >> >> line
> > >> >> > > for
> > >> >> > > >> > > > > future communication
with us. We appreciate
your
> > >> >> > cooperation
> > >> >> > > on
> > >> >> > > >> > > this.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > If you have any
questions and concerns, please do
> not
> > >> >> hesitate
> > >> >> > > to
> > >> >> > > >> > > > > contact us any time.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Thank you in advance
for your attention on this
> > matter.
> > >> >> > > >> > > > > We are looking forward
to hearing from you.
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Sincerely yours,
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > Takayuki Uchiyama
> > >> >> > > >> > > > > JPCERT/CC
Vulnerability Handling Team
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > > Hello,
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > Please be aware
that Dotclear 2.6.2 is not the
> > latest
> > >> >> > version:
> > >> >> > > >> > v2.6.3
> > >> >> > > >> > > > > > was released in
May to patch vulnerabilities
found
> > in
> > >> >> 2.6.2
> > >> >> > > >> (listed
> > >> >> > > >> > > at
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > >
> > >> >> > > >> > >
> > >> >> > > >> >
> > >> >> > > >>
> > >> >> > >
> > >> >> >
> > >> >>
> > >>
> >
>
http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html
> > >> >> > > >> > > > > > )
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > If the
vulnerabilities you found are not the one
> > >> listed
> > >> >> and
> > >> >> > > still
> > >> >> > > >> > > > > > exist in 2.6.3,
please send any information to
> > >> >> > > >> > security(a)dotclear.net
> > >> >> > > >> > > > > > where you'll
reach several members of the team
(we
> > do
> > >> not
> > >> >> > use
> > >> >> > > a
> > >> >> > > >> GPG
> > >> >> > > >> > > > > > key).
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > xave, for the
Dotclear Team.
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > >
> > >> >> > > >> > > > > > On Wed, Jun 25,
2014 at 5:10 AM, JPCERT/CC <
> > >> >> > vuls(a)jpcert.or.jp
> > >> >> > > >
> > >> >> > > >> > > wrote:
> > >> >> > > >> > > > > > > To whom it
may concern,
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Hello. This
is Noriko Takahashi from
JPCERT/CC
> > >> >> > > Vulnerability
> > >> >> > > >> > > > > > > Handling
Team. Please excuse the sudden
> contact.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > If
you're not familiar with us or our
> activities,
> > >> >> please
> > >> >> > > >> > > > > > > check the
following websites for more
> information.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > >
http://www.jpcert.or.jp/english/
> > >> >> > > >> > > > > > >
>
http://www.jpcert.or.jp/english/vh/project.html
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> >
> > >> >> > >
> > >> >>
> >
http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm
> > >> >> > > >> > > > > > >
http://jvn.jp/en/
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > We have
received a report of a vulnerability
> found
> > >> in
> > >> >> the
> > >> >> > > >> > > > > > > product
"Dotclear 2.6.2" from a
researcher/user
> > >> here in
> > >> >> > > Japan
> > >> >> > > >> > > > > > > under the
vulnerability handling framework
> called
> > >> >> > > "Information
> > >> >> > > >> > > > > > > Security
Early Warning Partnership" and the
> > official
> > >> >> > > >> announcement
> > >> >> > > >> > > > > > > #235
"Software Vulnerability Related
Information
> > >> >> Handling
> > >> >> > > >> > Measures"
> > >> >> > > >> > > > > > > which were
designed by Ministry of Economy,
> Trade
> > >> and
> > >> >> > > Industry
> > >> >> > > >> > > > (METI),
> > >> >> > > >> > > > > > > a Japanese
cabinet.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > From the
website
> > >> >> > > >> > > > > > >
http://dotclear.org/contact
> > >> >> > > >> > > > > > > we found
this email address. We would like to
> > >> >> coordinate
> > >> >> > > with
> > >> >> > > >> you
> > >> >> > > >> > > > > > > to solve the
reported vulnerability, and your
> > >> >> cooperation
> > >> >> > > would
> > >> >> > > >> > be
> > >> >> > > >> > > > > > > greatly
appreciated.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Before we
provide you the details of the
> reported
> > >> >> > > >> vulnerability,
> > >> >> > > >> > > > > > > we would
like to know the appropriate
> > >> point-of-contact
> > >> >> > > person,
> > >> >> > > >> > > > > > > or
department/group/team to communicate in
> regards
> > >> to
> > >> >> this
> > >> >> > > >> issue.
> > >> >> > > >> > > > > > > It would be
greatly appreciated if you could
> > >> provide us
> > >> >> > the
> > >> >> > > >> below
> > >> >> > > >> > > > > > > information
at your earliest convenience.
> > >> >> > > >> > > > > > > -Name of
the person/team who is in charge of
> such
> > >> >> issues
> > >> >> > > >> > > > > > > -Email
address
> > >> >> > > >> > > > > > > -PGP key if
available
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Once we
receive your reply and and
> > point-of-contact
> > >> >> > > >> information,
> > >> >> > > >> > > > > > > we will then
send you the original
vulnerability
> > >> report
> > >> >> > and
> > >> >> > > the
> > >> >> > > >> > > > > > > details
either in a PGP encrypted message or
in
> a
> > >> >> password
> > >> >> > > >> > > protected
> > >> >> > > >> > > > > > > zip file.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > If you have
any questions or concerns, please
do
> > not
> > >> >> > > hesitate
> > >> >> > > >> > > > > > > to contact
us any time.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Thank you in
advance for your attention to
this
> > >> email.
> > >> >> > > >> > > > > > > We would
very much appreciate your prompt
reply.
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Sincerely
yours,
> > >> >> > > >> > > > > > >
> > >> >> > > >> > > > > > > Noriko
Takahashi
> > >> >> > > >> > > > > > > Leader of
Vulnerability Handling Team
> > >> >> > > >> > > > > > > Information
Coordination Group
> > >> >> > > >> > > > >
> > >> >> > > >> >
> > >> >> >
> > >>
======================================================================
> > >> >> > > >> > > > > JPCERT Coordination
Center (JPCERT/CC)
> > >> >> > > >> > > > > TEL: +81-3-3518-4600
FAX: +81-3-3518-4602
EMAIL:
> > >> >> > > >> vuls(a)jpcert.or.jp
> > >> >> > > >> > > > > PGP key: 0x33E6021D:
B9 E8 68 35 2D 39 19 29 63
89
> 52
> > >> D4
> > >> >> F8
> > >> >> > 8D
> > >> >> > > 50
> > >> >> > > >> FC
> > >> >> > > >> > > > >
https://www.jpcert.or.jp/english
>
http://jvn.jp/en/
> > >> >> > > >> >
http://jvn.jp
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > >
> > >> >> > > >> > > > > --
> > >> >> > > >> > > > > Dotclear Team
> > >> >> > > >> > > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > >
> > >> >> > > >> > > > --
> > >> >> > > >> > > > Dotclear Team
> > >> >> > > >> > > > --
> > >> >> > > >> > > > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> > > >
http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> > > >
> > >> >> > > >> > > --
> > >> >> > > >> > > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> > >
http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> > >
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> >
> > >> >> > > >> > --
> > >> >> > > >> > Franck
> > >> >> > > >> > --
> > >> >> > > >> > Dev mailing list -
Dev(a)list.dotclear.org -
> > >> >> > > >> >
http://ml.dotclear.org/listinfo/dev
> > >> >> > > >> >
> > >> >> > > >> --
> > >> >> > > >> Dev mailing list - Dev(a)list.dotclear.org
-
> > >> >> > > >>
http://ml.dotclear.org/listinfo/dev
> > >> >> > > >>
> > >> >> > > > --
> > >> >> > > > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > >
http://ml.dotclear.org/listinfo/dev
> > >> >> > > --
> > >> >> > > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> > >
http://ml.dotclear.org/listinfo/dev
> > >> >> > >
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > --
> > >> >> > Franck
> > >> >> > --
> > >> >> > Dev mailing list - Dev(a)list.dotclear.org -
> > >> >> >
http://ml.dotclear.org/listinfo/dev
> > >> >> >
> > >> >> --
> > >> >> Dev mailing list - Dev(a)list.dotclear.org -
> > >> >>
http://ml.dotclear.org/listinfo/dev
> > >> >>
> > >> >
> > >> >
> > >> --
> > >> Dev mailing list - Dev(a)list.dotclear.org -
> > >>
http://ml.dotclear.org/listinfo/dev
> > >>
> > >
> > >
> > >
> > > --
> > > Franck
> > >
> >
> >
> >
> > --
> > Franck
> > --
> > Dev mailing list - Dev(a)list.dotclear.org -
> >
http://ml.dotclear.org/listinfo/dev
> >
> --
> Dev mailing list - Dev(a)list.dotclear.org -
>
http://ml.dotclear.org/listinfo/dev
>
--
Franck
--
Dev mailing list - Dev(a)list.dotclear.org -
http://ml.dotclear.org/listinfo/dev