On peut leur répondre une fois pour toutes que le fichier en question n'est pas accessible ? Le 10 avr. 2013 07:32, "Dotclear (contact)" <[email protected]> a écrit :
> Pour info > > Franck > > ---------- Forwarded message ---------- > From: MustLive <[email protected]> > Date: 2013/4/9 > Subject: XSS and CS vulnerabilities in Dotclear > To: [email protected] > > > ** > *Hello developers of Dotclear!* > > In January I've informed you about multiple vulnerabilities in > Dotclear. You have lamerly ignored my letter and haven't fixed these holes. > > I've wrote you about Cross-Site Scripting and Content Spoofing > vulnerabilities in flash-files in your engine. Dotclear has three swf files > (according to your site http://dev.dotclear.org/2.0/browser/inc/swf), I > suppose last version Dotclear 2.4.4 too. And these files are vulnerable to > XSS and CS, so your engine has these holes. > > Now I'll give you more vulnerabilities in SWFUpload, in addition to > previous XSS hole, which I'll be disclosing together with previous > vulnerabilities in all three swf-files in Dotclear. > > These are new Cross-Site Scripting and Content Spoofing vulnerabilities in > your engine. I've wrote about these holes already in March in my advisories > concerning SWFUpload (http://seclists.org/fulldisclosure/2013/Mar/110 and > http://seclists.org/fulldisclosure/2013/Mar/116). If you would fixed > previous hole in SWFUpload in January, when I first informed you, then > you also fixed these holes. > > *Content Spoofing (WASC-12):* > > > http://site/inc/swf/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E > > It's possible to inject text, images and html (e.g. for link injection). > > *Cross-Site Scripting (WASC-08):* > > > http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E > > Code will execute after click. It's strictly social XSS. > > The same as with previous holes, to these ones vulnerable are all versions > of Dotclear - Dotclear 2.4.4 and previous versions. > > Best wishes & regards, > Eugene Dokukin aka MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Dev mailing list - [email protected] - > http://ml.dotclear.org/listinfo/dev >
_______________________________________________ Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
