Si tu me trouves les 3 endroits où on écrit le truc, je veux bien faire un patch, mais vu comme je connais bien le code (ou pas) j'ai pas vraiment le temps de chercher :/
On 10 July 2014 11:03, Franck Paul <[email protected]> wrote: > Si c'est bourrin je l'admets, mais devant l'avalanche de patchs proposés, > j'ai paré au plus pressé. > > > 2014-07-10 10:56 GMT+02:00 Julien Wajsberg <[email protected]>: > > > mmm c'est pas un peu bourrin? ça risque pas de péter les recherches > parfois > > ? > > > > ce que je fais généralement, c'est deux variables: une "échappée" que > > j'utilise dès que je veux écrire, une "non échappée" pour les appels > d'API. > > > > Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois > > un avec le form::field là, mais je vois pas les autres > > > > > > On 10 July 2014 10:36, Franck Paul <[email protected]> wrote: > > > > > J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez > > > vérifier demain avec la nightly ? (branche 2.6) > > > > > > > > > 2014-07-10 8:11 GMT+02:00 Franck Paul <[email protected]>: > > > > > > > Where is your patch Julien ? :-D > > > > > > > > > > > > 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <[email protected]>: > > > > > > > > note qu'il y a visiblement 3 endroits où on l'affiche ainsi. > > > >> > > > >> > > > >> On 9 July 2014 11:57, Julien Wajsberg <[email protected]> wrote: > > > >> > > > >> > moi je vois en clair dans le source: > > > >> > > > > >> > <input type="submit" value="ok" /></p><input type="hidden" > > > >> name="xd_check" value="e583662b0e24493bb6d9e67cdfdc03140104694a" > > > /><input > > > >> type="hidden" name="q" value=""><img src=0 > > > onerror=alert(document.cookie)>" > > > >> /><input type="hidden" name="qtype" value="p" /></div></form><form > > > >> action="/blog/admin/search.php" method="get"><div > > class="pager"><ul><li > > > >> class="first no-link btn"><img src="images/pagination/no-first.png" > > > >> alt="Première page"/></li><li class="prev no-link btn"><img > > > >> src="images/pagination/no-previous.png" alt="Page > > précédente"/></li><li > > > >> class="active"><strong>Page 1 / 16</strong></li><li class="next > > btn"><a > > > >> > > > > > > href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img > > > >> src="images/pagination/next.png" alt="Page suivante"/></a><span > > > >> class="hidden">Page suivante</span></li><li class="last btn"><a > > > >> > > > > > > href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img > > > >> src="images/pagination/last.png" alt="Dernière page"/></a><span > > > >> class="hidden">Dernière page</span></li><li > > class="direct-access">Aller > > > à > > > >> la page : <input type="text" size="3" name="page" maxlength="10" > > > /><input > > > >> type="submit" value="ok" class="reset" name="ok" /><input > > type="hidden" > > > >> name="q" value=""><img src=0 onerror=alert(document.cookie)>" > > /><input > > > >> type="hidden" name="qtype" value="p" /></li></ul></div></form><div > > > >> id="help"><hr /><div class="help-content clear"><h3>Aide pour cette > > > >> page</h3> > > > >> > > > > >> > > > > >> > (cherche "xd_check") > > > >> > > > > >> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais > > je > > > >> vois > > > >> > quand même bien qu'on échappe pas l'entrée utilisateur alors qu'on > > le > > > >> > devrait. > > > >> > > > > >> > > > > >> > On 8 July 2014 20:23, Nicolas <[email protected]> wrote: > > > >> > > > > >> >> Re, > > > >> >> > > > >> >> > > > >> >> 2014-07-08 17:28 GMT+02:00 Franck Paul < > > [email protected] > > > >: > > > >> >> > > > >> >> > Apparemment c'est un problème côté firefox, pas Dotclear. les > > > chaînes > > > >> >> sont > > > >> >> > à priori bien échappées à la recherche et à l'affichage. > > > >> >> > > > > >> >> > Et oui Franck, sinon le problème existerait quel que soit le > > > >> navigateur. > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > > >> >> > 2014-07-08 17:06 GMT+02:00 Philippe <[email protected]>: > > > >> >> > > > > >> >> > > Je reproduis avec Firefox seulement aussi, sur la version > 2.6.3 > > > et > > > >> >> > 2.7-dev > > > >> >> > > -- > > > >> >> > > Philippe > > > >> >> > > > > > >> >> > > > > > >> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas <[email protected]>: > > > >> >> > > > Je reproduis aussi mais uniquement avec le panda bleu ! :-) > > > >> >> > > > > > > >> >> > > > > > > >> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg < > [email protected] > > >: > > > >> >> > > > > > > >> >> > > >> je reproduis sur mon blog (mais qui a pas la dernière > > version) > > > >> >> > > >> > > > >> >> > > >> > > > >> >> > > >> On 8 July 2014 16:26, Franck Paul < > > > [email protected] > > > >> > > > > >> >> > wrote: > > > >> >> > > >> > > > >> >> > > >> > JPCERT97966327 > > > >> >> > > >> > > > > >> >> > > >> > > > > >> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg < > > > [email protected] > > > >> >: > > > >> >> > > >> > > > > >> >> > > >> > > faut le mot de passe :) > > > >> >> > > >> > > > > > >> >> > > >> > > > > > >> >> > > >> > > On 8 July 2014 16:04, Dotclear (contact) < > > > >> [email protected] > > > >> >> > > > > >> >> > > wrote: > > > >> >> > > >> > > > > > >> >> > > >> > > > L'archive qui détaille un peu tout : > > > >> >> > > >> > > > > > > >> >> > > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip > > > >> >> > > >> > > > > > > >> >> > > >> > > > > > > >> >> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) < > > > >> >> > > [email protected] > > > >> >> > > >> >: > > > >> >> > > >> > > > > > > >> >> > > >> > > > > Jour les gens, > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > On a reçu ce matin un rapport au sujet d'une > faille > > > XSS > > > >> >> (voir > > > >> >> > > >> > > ci-dessous, > > > >> >> > > >> > > > > le mot de passe de l'archive est JPCERT97966327) > > mais > > > je > > > >> >> > > n'arrive > > > >> >> > > >> > pas à > > > >> >> > > >> > > > > reproduire la faille. > > > >> >> > > >> > > > > Quelqu'un peut regarder ça de son côté ? > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > Franck > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > ---------- Forwarded message ---------- > > > >> >> > > >> > > > > From: JPCERT/CC <[email protected]> > > > >> >> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00 > > > >> >> > > >> > > > > Subject: Re: Inquiry on vulnerability found in > > > Dotclear > > > >> >> 2.6.3 > > > >> >> > > VN: > > > >> >> > > >> > > > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327 > > > >> >> > > >> > > > > To: Dotclear Development Team < > [email protected] > > > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > Hello xave @ the Dotclear Team, > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > We have received a vulnerability report for one of > > > your > > > >> >> > > products: > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > - Dotclear 2.6.3 vulnerable to cross-site > > scripting > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > I have attached the details of the reported > > > >> vulnerability > > > >> >> to > > > >> >> > > this > > > >> >> > > >> > > email. > > > >> >> > > >> > > > > The password for the zip file will be sent in a > > > separate > > > >> >> > email. > > > >> >> > > >> > > > > The original report was against version 2.6.2, but > > the > > > >> >> issue > > > >> >> > was > > > >> >> > > >> also > > > >> >> > > >> > > > > verified to still exist in 2.6.3. Please see the > > > report > > > >> for > > > >> >> > more > > > >> >> > > >> > > details. > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > Please take a look at the report and return to us > > with > > > >> the > > > >> >> > > >> > information > > > >> >> > > >> > > > > such as; > > > >> >> > > >> > > > > -validate the products, and whether the reported > > > >> >> > vulnerability > > > >> >> > > is > > > >> >> > > >> > > > > confirmed or not > > > >> >> > > >> > > > > -solutions (e.g., patch or module update) > > > >> >> > > >> > > > > -workarounds if any > > > >> >> > > >> > > > > -estimated time for creation of fixes > > > >> >> > > >> > > > > -preferable date for public release on your site > > > >> >> > > >> > > > > *we will also publish an advisory for this issue > > on > > > >> our > > > >> >> > > >> > vulnerability > > > >> >> > > >> > > > > knowledge base, JVN, http://jvn.jp, > > > >> http://jvn.jp/en/, > > > >> >> > > >> > > > > synchronizing with your release schedule. > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > **Caution** > > > >> >> > > >> > > > > We have assigned the tracking number for this > > > >> >> vulnerability > > > >> >> > > >> issue; > > > >> >> > > >> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327] > > > >> >> > > >> > > > > Please be sure to include these numbers in the > > > subject > > > >> >> line > > > >> >> > > for > > > >> >> > > >> > > > > future communication with us. We appreciate > your > > > >> >> > cooperation > > > >> >> > > on > > > >> >> > > >> > > this. > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > If you have any questions and concerns, please do > > not > > > >> >> hesitate > > > >> >> > > to > > > >> >> > > >> > > > > contact us any time. > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > Thank you in advance for your attention on this > > > matter. > > > >> >> > > >> > > > > We are looking forward to hearing from you. > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > Sincerely yours, > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > Takayuki Uchiyama > > > >> >> > > >> > > > > JPCERT/CC Vulnerability Handling Team > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > > Hello, > > > >> >> > > >> > > > > > > > > >> >> > > >> > > > > > Please be aware that Dotclear 2.6.2 is not the > > > latest > > > >> >> > version: > > > >> >> > > >> > v2.6.3 > > > >> >> > > >> > > > > > was released in May to patch vulnerabilities > found > > > in > > > >> >> 2.6.2 > > > >> >> > > >> (listed > > > >> >> > > >> > > at > > > >> >> > > >> > > > > > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > > > >> >> > > >> > > > > > >> >> > > >> > > > > >> >> > > >> > > > >> >> > > > > > >> >> > > > > >> >> > > > >> > > > > > > http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html > > > >> >> > > >> > > > > > ) > > > >> >> > > >> > > > > > > > > >> >> > > >> > > > > > If the vulnerabilities you found are not the one > > > >> listed > > > >> >> and > > > >> >> > > still > > > >> >> > > >> > > > > > exist in 2.6.3, please send any information to > > > >> >> > > >> > [email protected] > > > >> >> > > >> > > > > > where you'll reach several members of the team > (we > > > do > > > >> not > > > >> >> > use > > > >> >> > > a > > > >> >> > > >> GPG > > > >> >> > > >> > > > > > key). > > > >> >> > > >> > > > > > > > > >> >> > > >> > > > > > xave, for the Dotclear Team. > > > >> >> > > >> > > > > > > > > >> >> > > >> > > > > > > > > >> >> > > >> > > > > > > > > >> >> > > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC < > > > >> >> > [email protected] > > > >> >> > > > > > > >> >> > > >> > > wrote: > > > >> >> > > >> > > > > > > To whom it may concern, > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > Hello. This is Noriko Takahashi from > JPCERT/CC > > > >> >> > > Vulnerability > > > >> >> > > >> > > > > > > Handling Team. Please excuse the sudden > > contact. > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > If you're not familiar with us or our > > activities, > > > >> >> please > > > >> >> > > >> > > > > > > check the following websites for more > > information. > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > http://www.jpcert.or.jp/english/ > > > >> >> > > >> > > > > > > > > http://www.jpcert.or.jp/english/vh/project.html > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > >> >> > > > > > >> >> > > > http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm > > > >> >> > > >> > > > > > > http://jvn.jp/en/ > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > We have received a report of a vulnerability > > found > > > >> in > > > >> >> the > > > >> >> > > >> > > > > > > product "Dotclear 2.6.2" from a > researcher/user > > > >> here in > > > >> >> > > Japan > > > >> >> > > >> > > > > > > under the vulnerability handling framework > > called > > > >> >> > > "Information > > > >> >> > > >> > > > > > > Security Early Warning Partnership" and the > > > official > > > >> >> > > >> announcement > > > >> >> > > >> > > > > > > #235 "Software Vulnerability Related > Information > > > >> >> Handling > > > >> >> > > >> > Measures" > > > >> >> > > >> > > > > > > which were designed by Ministry of Economy, > > Trade > > > >> and > > > >> >> > > Industry > > > >> >> > > >> > > > (METI), > > > >> >> > > >> > > > > > > a Japanese cabinet. > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > From the website > > > >> >> > > >> > > > > > > http://dotclear.org/contact > > > >> >> > > >> > > > > > > we found this email address. We would like to > > > >> >> coordinate > > > >> >> > > with > > > >> >> > > >> you > > > >> >> > > >> > > > > > > to solve the reported vulnerability, and your > > > >> >> cooperation > > > >> >> > > would > > > >> >> > > >> > be > > > >> >> > > >> > > > > > > greatly appreciated. > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > Before we provide you the details of the > > reported > > > >> >> > > >> vulnerability, > > > >> >> > > >> > > > > > > we would like to know the appropriate > > > >> point-of-contact > > > >> >> > > person, > > > >> >> > > >> > > > > > > or department/group/team to communicate in > > regards > > > >> to > > > >> >> this > > > >> >> > > >> issue. > > > >> >> > > >> > > > > > > It would be greatly appreciated if you could > > > >> provide us > > > >> >> > the > > > >> >> > > >> below > > > >> >> > > >> > > > > > > information at your earliest convenience. > > > >> >> > > >> > > > > > > -Name of the person/team who is in charge of > > such > > > >> >> issues > > > >> >> > > >> > > > > > > -Email address > > > >> >> > > >> > > > > > > -PGP key if available > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > Once we receive your reply and and > > > point-of-contact > > > >> >> > > >> information, > > > >> >> > > >> > > > > > > we will then send you the original > vulnerability > > > >> report > > > >> >> > and > > > >> >> > > the > > > >> >> > > >> > > > > > > details either in a PGP encrypted message or > in > > a > > > >> >> password > > > >> >> > > >> > > protected > > > >> >> > > >> > > > > > > zip file. > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > If you have any questions or concerns, please > do > > > not > > > >> >> > > hesitate > > > >> >> > > >> > > > > > > to contact us any time. > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > Thank you in advance for your attention to > this > > > >> email. > > > >> >> > > >> > > > > > > We would very much appreciate your prompt > reply. > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > Sincerely yours, > > > >> >> > > >> > > > > > > > > > >> >> > > >> > > > > > > Noriko Takahashi > > > >> >> > > >> > > > > > > Leader of Vulnerability Handling Team > > > >> >> > > >> > > > > > > Information Coordination Group > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > >> >> > > > > >> > ====================================================================== > > > >> >> > > >> > > > > JPCERT Coordination Center (JPCERT/CC) > > > >> >> > > >> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 > EMAIL: > > > >> >> > > >> [email protected] > > > >> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 > 89 > > 52 > > > >> D4 > > > >> >> F8 > > > >> >> > 8D > > > >> >> > > 50 > > > >> >> > > >> FC > > > >> >> > > >> > > > > https://www.jpcert.or.jp/english > > http://jvn.jp/en/ > > > >> >> > > >> > http://jvn.jp > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > -- > > > >> >> > > >> > > > > Dotclear Team > > > >> >> > > >> > > > > > > > >> >> > > >> > > > > > > >> >> > > >> > > > > > > >> >> > > >> > > > > > > >> >> > > >> > > > -- > > > >> >> > > >> > > > Dotclear Team > > > >> >> > > >> > > > -- > > > >> >> > > >> > > > Dev mailing list - [email protected] - > > > >> >> > > >> > > > http://ml.dotclear.org/listinfo/dev > > > >> >> > > >> > > > > > > >> >> > > >> > > -- > > > >> >> > > >> > > Dev mailing list - [email protected] - > > > >> >> > > >> > > http://ml.dotclear.org/listinfo/dev > > > >> >> > > >> > > > > > >> >> > > >> > > > > >> >> > > >> > > > > >> >> > > >> > > > > >> >> > > >> > -- > > > >> >> > > >> > Franck > > > >> >> > > >> > -- > > > >> >> > > >> > Dev mailing list - [email protected] - > > > >> >> > > >> > http://ml.dotclear.org/listinfo/dev > > > >> >> > > >> > > > > >> >> > > >> -- > > > >> >> > > >> Dev mailing list - [email protected] - > > > >> >> > > >> http://ml.dotclear.org/listinfo/dev > > > >> >> > > >> > > > >> >> > > > -- > > > >> >> > > > Dev mailing list - [email protected] - > > > >> >> > > http://ml.dotclear.org/listinfo/dev > > > >> >> > > -- > > > >> >> > > Dev mailing list - [email protected] - > > > >> >> > > http://ml.dotclear.org/listinfo/dev > > > >> >> > > > > > >> >> > > > > >> >> > > > > >> >> > > > > >> >> > -- > > > >> >> > Franck > > > >> >> > -- > > > >> >> > Dev mailing list - [email protected] - > > > >> >> > http://ml.dotclear.org/listinfo/dev > > > >> >> > > > > >> >> -- > > > >> >> Dev mailing list - [email protected] - > > > >> >> http://ml.dotclear.org/listinfo/dev > > > >> >> > > > >> > > > > >> > > > > >> -- > > > >> Dev mailing list - [email protected] - > > > >> http://ml.dotclear.org/listinfo/dev > > > >> > > > > > > > > > > > > > > > > -- > > > > Franck > > > > > > > > > > > > > > > > -- > > > Franck > > > -- > > > Dev mailing list - [email protected] - > > > http://ml.dotclear.org/listinfo/dev > > > > > -- > > Dev mailing list - [email protected] - > > http://ml.dotclear.org/listinfo/dev > > > > > > -- > Franck > -- > Dev mailing list - [email protected] - > http://ml.dotclear.org/listinfo/dev > -- Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
