Plop ? la XSS swfupload n'est pas complètement corrigée, cf ci-dessous. ---------- Forwarded message ---------- From: mala <[email protected]> Date: 2013/5/7 Subject: [Open Time] Fwd: XSS in dotclear To: [email protected]
Bonjour, Vous avez reçu un message venant de la page contact de votre blog. Blog : Open Time Message de : mala <[email protected]> Site web : Message : ----------------------------------------------------------- ---------- Forwarded message ---------- From: mala <[email protected]> Date: Sat, May 4, 2013 at 5:50 PM Subject: XSS in dotclear, dotclear.org To: [email protected] Dear dotclear security team, Hi, I'm Japanese programmer/security researcher. This is wrong method to fix vuln. http://dev.dotclear.org/2.0/changeset/1115 Example: http://dotclear.org/?pf=swfupload.swf#?&movieName=";])}catch(e){alert(1)}// -- Franck
_______________________________________________ Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
