Cela dit, c'est pas si bourrin que ça ma modif et ça n'empêche pas la recherche, y compris de termes comme "<img src=".
Je viens de faire l'essai sur le code corrigé et ça fonctionne plutôt bien. 2014-07-10 11:07 GMT+02:00 Franck Paul <[email protected]>: > Les deux autres endroits sont, je pense, les boutons de pagination > (inc/admin/lib.pager.php) > > > 2014-07-10 10:56 GMT+02:00 Julien Wajsberg <[email protected]>: > > mmm c'est pas un peu bourrin? ça risque pas de péter les recherches parfois >> ? >> >> ce que je fais généralement, c'est deux variables: une "échappée" que >> j'utilise dès que je veux écrire, une "non échappée" pour les appels >> d'API. >> >> Tu sais quels sont les 3 endroits qui écrivent cette variable ? J'en vois >> un avec le form::field là, mais je vois pas les autres >> >> >> On 10 July 2014 10:36, Franck Paul <[email protected]> wrote: >> >> > J'ai commité un truc vite fait pour tenter de corriger ça. Vous pouvez >> > vérifier demain avec la nightly ? (branche 2.6) >> > >> > >> > 2014-07-10 8:11 GMT+02:00 Franck Paul <[email protected]>: >> > >> > > Where is your patch Julien ? :-D >> > > >> > > >> > > 2014-07-09 11:58 GMT+02:00 Julien Wajsberg <[email protected]>: >> > > >> > > note qu'il y a visiblement 3 endroits où on l'affiche ainsi. >> > >> >> > >> >> > >> On 9 July 2014 11:57, Julien Wajsberg <[email protected]> wrote: >> > >> >> > >> > moi je vois en clair dans le source: >> > >> > >> > >> > <input type="submit" value="ok" /></p><input type="hidden" >> > >> name="xd_check" value="e583662b0e24493bb6d9e67cdfdc03140104694a" >> > /><input >> > >> type="hidden" name="q" value=""><img src=0 >> > onerror=alert(document.cookie)>" >> > >> /><input type="hidden" name="qtype" value="p" /></div></form><form >> > >> action="/blog/admin/search.php" method="get"><div >> class="pager"><ul><li >> > >> class="first no-link btn"><img src="images/pagination/no-first.png" >> > >> alt="Première page"/></li><li class="prev no-link btn"><img >> > >> src="images/pagination/no-previous.png" alt="Page >> précédente"/></li><li >> > >> class="active"><strong>Page 1 / 16</strong></li><li class="next >> btn"><a >> > >> >> > >> href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=2"><img >> > >> src="images/pagination/next.png" alt="Page suivante"/></a><span >> > >> class="hidden">Page suivante</span></li><li class="last btn"><a >> > >> >> > >> href="/blog/admin/search.php?q=%22%3E%3Cimg+src%3D0+onerror%3Dalert%28document.cookie%29%3E&qtype=p&page=16"><img >> > >> src="images/pagination/last.png" alt="Dernière page"/></a><span >> > >> class="hidden">Dernière page</span></li><li >> class="direct-access">Aller >> > à >> > >> la page : <input type="text" size="3" name="page" maxlength="10" >> > /><input >> > >> type="submit" value="ok" class="reset" name="ok" /><input >> type="hidden" >> > >> name="q" value=""><img src=0 onerror=alert(document.cookie)>" >> /><input >> > >> type="hidden" name="qtype" value="p" /></li></ul></div></form><div >> > >> id="help"><hr /><div class="help-content clear"><h3>Aide pour cette >> > >> page</h3> >> > >> > >> > >> > >> > >> > (cherche "xd_check") >> > >> > >> > >> > après, pourquoi ça se reproduit pas ailleurs, j'en sais rien, mais >> je >> > >> vois >> > >> > quand même bien qu'on échappe pas l'entrée utilisateur alors qu'on >> le >> > >> > devrait. >> > >> > >> > >> > >> > >> > On 8 July 2014 20:23, Nicolas <[email protected]> wrote: >> > >> > >> > >> >> Re, >> > >> >> >> > >> >> >> > >> >> 2014-07-08 17:28 GMT+02:00 Franck Paul < >> [email protected] >> > >: >> > >> >> >> > >> >> > Apparemment c'est un problème côté firefox, pas Dotclear. les >> > chaînes >> > >> >> sont >> > >> >> > à priori bien échappées à la recherche et à l'affichage. >> > >> >> > >> > >> >> > Et oui Franck, sinon le problème existerait quel que soit le >> > >> navigateur. >> > >> >> >> > >> >> >> > >> >> >> > >> >> > >> > >> >> > 2014-07-08 17:06 GMT+02:00 Philippe <[email protected]>: >> > >> >> > >> > >> >> > > Je reproduis avec Firefox seulement aussi, sur la version >> 2.6.3 >> > et >> > >> >> > 2.7-dev >> > >> >> > > -- >> > >> >> > > Philippe >> > >> >> > > >> > >> >> > > >> > >> >> > > 2014-07-08 16:41 GMT+02:00 Nicolas <[email protected]>: >> > >> >> > > > Je reproduis aussi mais uniquement avec le panda bleu ! :-) >> > >> >> > > > >> > >> >> > > > >> > >> >> > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg < >> [email protected]>: >> > >> >> > > > >> > >> >> > > >> je reproduis sur mon blog (mais qui a pas la dernière >> version) >> > >> >> > > >> >> > >> >> > > >> >> > >> >> > > >> On 8 July 2014 16:26, Franck Paul < >> > [email protected] >> > >> > >> > >> >> > wrote: >> > >> >> > > >> >> > >> >> > > >> > JPCERT97966327 >> > >> >> > > >> > >> > >> >> > > >> > >> > >> >> > > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg < >> > [email protected] >> > >> >: >> > >> >> > > >> > >> > >> >> > > >> > > faut le mot de passe :) >> > >> >> > > >> > > >> > >> >> > > >> > > >> > >> >> > > >> > > On 8 July 2014 16:04, Dotclear (contact) < >> > >> [email protected] >> > >> >> > >> > >> >> > > wrote: >> > >> >> > > >> > > >> > >> >> > > >> > > > L'archive qui détaille un peu tout : >> > >> >> > > >> > > > >> > >> >> > >> https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip >> > >> >> > > >> > > > >> > >> >> > > >> > > > >> > >> >> > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) < >> > >> >> > > [email protected] >> > >> >> > > >> >: >> > >> >> > > >> > > > >> > >> >> > > >> > > > > Jour les gens, >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > On a reçu ce matin un rapport au sujet d'une faille >> > XSS >> > >> >> (voir >> > >> >> > > >> > > ci-dessous, >> > >> >> > > >> > > > > le mot de passe de l'archive est JPCERT97966327) >> mais >> > je >> > >> >> > > n'arrive >> > >> >> > > >> > pas à >> > >> >> > > >> > > > > reproduire la faille. >> > >> >> > > >> > > > > Quelqu'un peut regarder ça de son côté ? >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > Franck >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > ---------- Forwarded message ---------- >> > >> >> > > >> > > > > From: JPCERT/CC <[email protected]> >> > >> >> > > >> > > > > Date: 2014-07-08 4:36 GMT+02:00 >> > >> >> > > >> > > > > Subject: Re: Inquiry on vulnerability found in >> > Dotclear >> > >> >> 2.6.3 >> > >> >> > > VN: >> > >> >> > > >> > > > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327 >> > >> >> > > >> > > > > To: Dotclear Development Team < >> [email protected]> >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > Hello xave @ the Dotclear Team, >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > We have received a vulnerability report for one of >> > your >> > >> >> > > products: >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > - Dotclear 2.6.3 vulnerable to cross-site >> scripting >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > I have attached the details of the reported >> > >> vulnerability >> > >> >> to >> > >> >> > > this >> > >> >> > > >> > > email. >> > >> >> > > >> > > > > The password for the zip file will be sent in a >> > separate >> > >> >> > email. >> > >> >> > > >> > > > > The original report was against version 2.6.2, but >> the >> > >> >> issue >> > >> >> > was >> > >> >> > > >> also >> > >> >> > > >> > > > > verified to still exist in 2.6.3. Please see the >> > report >> > >> for >> > >> >> > more >> > >> >> > > >> > > details. >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > Please take a look at the report and return to us >> with >> > >> the >> > >> >> > > >> > information >> > >> >> > > >> > > > > such as; >> > >> >> > > >> > > > > -validate the products, and whether the reported >> > >> >> > vulnerability >> > >> >> > > is >> > >> >> > > >> > > > > confirmed or not >> > >> >> > > >> > > > > -solutions (e.g., patch or module update) >> > >> >> > > >> > > > > -workarounds if any >> > >> >> > > >> > > > > -estimated time for creation of fixes >> > >> >> > > >> > > > > -preferable date for public release on your site >> > >> >> > > >> > > > > *we will also publish an advisory for this issue >> on >> > >> our >> > >> >> > > >> > vulnerability >> > >> >> > > >> > > > > knowledge base, JVN, http://jvn.jp, >> > >> http://jvn.jp/en/, >> > >> >> > > >> > > > > synchronizing with your release schedule. >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > **Caution** >> > >> >> > > >> > > > > We have assigned the tracking number for this >> > >> >> vulnerability >> > >> >> > > >> issue; >> > >> >> > > >> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327] >> > >> >> > > >> > > > > Please be sure to include these numbers in the >> > subject >> > >> >> line >> > >> >> > > for >> > >> >> > > >> > > > > future communication with us. We appreciate your >> > >> >> > cooperation >> > >> >> > > on >> > >> >> > > >> > > this. >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > If you have any questions and concerns, please do >> not >> > >> >> hesitate >> > >> >> > > to >> > >> >> > > >> > > > > contact us any time. >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > Thank you in advance for your attention on this >> > matter. >> > >> >> > > >> > > > > We are looking forward to hearing from you. >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > Sincerely yours, >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > Takayuki Uchiyama >> > >> >> > > >> > > > > JPCERT/CC Vulnerability Handling Team >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > > Hello, >> > >> >> > > >> > > > > > >> > >> >> > > >> > > > > > Please be aware that Dotclear 2.6.2 is not the >> > latest >> > >> >> > version: >> > >> >> > > >> > v2.6.3 >> > >> >> > > >> > > > > > was released in May to patch vulnerabilities >> found >> > in >> > >> >> 2.6.2 >> > >> >> > > >> (listed >> > >> >> > > >> > > at >> > >> >> > > >> > > > > > >> > >> >> > > >> > > > > >> > >> >> > > >> > > > >> > >> >> > > >> > > >> > >> >> > > >> > >> > >> >> > > >> >> > >> >> > > >> > >> >> > >> > >> >> >> > >> >> > >> http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html >> > >> >> > > >> > > > > > ) >> > >> >> > > >> > > > > > >> > >> >> > > >> > > > > > If the vulnerabilities you found are not the one >> > >> listed >> > >> >> and >> > >> >> > > still >> > >> >> > > >> > > > > > exist in 2.6.3, please send any information to >> > >> >> > > >> > [email protected] >> > >> >> > > >> > > > > > where you'll reach several members of the team >> (we >> > do >> > >> not >> > >> >> > use >> > >> >> > > a >> > >> >> > > >> GPG >> > >> >> > > >> > > > > > key). >> > >> >> > > >> > > > > > >> > >> >> > > >> > > > > > xave, for the Dotclear Team. >> > >> >> > > >> > > > > > >> > >> >> > > >> > > > > > >> > >> >> > > >> > > > > > >> > >> >> > > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC < >> > >> >> > [email protected] >> > >> >> > > > >> > >> >> > > >> > > wrote: >> > >> >> > > >> > > > > > > To whom it may concern, >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > Hello. This is Noriko Takahashi from JPCERT/CC >> > >> >> > > Vulnerability >> > >> >> > > >> > > > > > > Handling Team. Please excuse the sudden >> contact. >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > If you're not familiar with us or our >> activities, >> > >> >> please >> > >> >> > > >> > > > > > > check the following websites for more >> information. >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > http://www.jpcert.or.jp/english/ >> > >> >> > > >> > > > > > > >> http://www.jpcert.or.jp/english/vh/project.html >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > >> > >> >> > > >> > >> > >> >> > > >> > >> >> >> > http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm >> > >> >> > > >> > > > > > > http://jvn.jp/en/ >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > We have received a report of a vulnerability >> found >> > >> in >> > >> >> the >> > >> >> > > >> > > > > > > product "Dotclear 2.6.2" from a researcher/user >> > >> here in >> > >> >> > > Japan >> > >> >> > > >> > > > > > > under the vulnerability handling framework >> called >> > >> >> > > "Information >> > >> >> > > >> > > > > > > Security Early Warning Partnership" and the >> > official >> > >> >> > > >> announcement >> > >> >> > > >> > > > > > > #235 "Software Vulnerability Related >> Information >> > >> >> Handling >> > >> >> > > >> > Measures" >> > >> >> > > >> > > > > > > which were designed by Ministry of Economy, >> Trade >> > >> and >> > >> >> > > Industry >> > >> >> > > >> > > > (METI), >> > >> >> > > >> > > > > > > a Japanese cabinet. >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > From the website >> > >> >> > > >> > > > > > > http://dotclear.org/contact >> > >> >> > > >> > > > > > > we found this email address. We would like to >> > >> >> coordinate >> > >> >> > > with >> > >> >> > > >> you >> > >> >> > > >> > > > > > > to solve the reported vulnerability, and your >> > >> >> cooperation >> > >> >> > > would >> > >> >> > > >> > be >> > >> >> > > >> > > > > > > greatly appreciated. >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > Before we provide you the details of the >> reported >> > >> >> > > >> vulnerability, >> > >> >> > > >> > > > > > > we would like to know the appropriate >> > >> point-of-contact >> > >> >> > > person, >> > >> >> > > >> > > > > > > or department/group/team to communicate in >> regards >> > >> to >> > >> >> this >> > >> >> > > >> issue. >> > >> >> > > >> > > > > > > It would be greatly appreciated if you could >> > >> provide us >> > >> >> > the >> > >> >> > > >> below >> > >> >> > > >> > > > > > > information at your earliest convenience. >> > >> >> > > >> > > > > > > -Name of the person/team who is in charge of >> such >> > >> >> issues >> > >> >> > > >> > > > > > > -Email address >> > >> >> > > >> > > > > > > -PGP key if available >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > Once we receive your reply and and >> > point-of-contact >> > >> >> > > >> information, >> > >> >> > > >> > > > > > > we will then send you the original >> vulnerability >> > >> report >> > >> >> > and >> > >> >> > > the >> > >> >> > > >> > > > > > > details either in a PGP encrypted message or >> in a >> > >> >> password >> > >> >> > > >> > > protected >> > >> >> > > >> > > > > > > zip file. >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > If you have any questions or concerns, please >> do >> > not >> > >> >> > > hesitate >> > >> >> > > >> > > > > > > to contact us any time. >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > Thank you in advance for your attention to this >> > >> email. >> > >> >> > > >> > > > > > > We would very much appreciate your prompt >> reply. >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > Sincerely yours, >> > >> >> > > >> > > > > > > >> > >> >> > > >> > > > > > > Noriko Takahashi >> > >> >> > > >> > > > > > > Leader of Vulnerability Handling Team >> > >> >> > > >> > > > > > > Information Coordination Group >> > >> >> > > >> > > > > >> > >> >> > > >> > >> > >> >> > >> > >> >> ====================================================================== >> > >> >> > > >> > > > > JPCERT Coordination Center (JPCERT/CC) >> > >> >> > > >> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: >> > >> >> > > >> [email protected] >> > >> >> > > >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 >> 89 52 >> > >> D4 >> > >> >> F8 >> > >> >> > 8D >> > >> >> > > 50 >> > >> >> > > >> FC >> > >> >> > > >> > > > > https://www.jpcert.or.jp/english >> http://jvn.jp/en/ >> > >> >> > > >> > http://jvn.jp >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > >> > >> >> > > >> > > > > -- >> > >> >> > > >> > > > > Dotclear Team >> > >> >> > > >> > > > > >> > >> >> > > >> > > > >> > >> >> > > >> > > > >> > >> >> > > >> > > > >> > >> >> > > >> > > > -- >> > >> >> > > >> > > > Dotclear Team >> > >> >> > > >> > > > -- >> > >> >> > > >> > > > Dev mailing list - [email protected] - >> > >> >> > > >> > > > http://ml.dotclear.org/listinfo/dev >> > >> >> > > >> > > > >> > >> >> > > >> > > -- >> > >> >> > > >> > > Dev mailing list - [email protected] - >> > >> >> > > >> > > http://ml.dotclear.org/listinfo/dev >> > >> >> > > >> > > >> > >> >> > > >> > >> > >> >> > > >> > >> > >> >> > > >> > >> > >> >> > > >> > -- >> > >> >> > > >> > Franck >> > >> >> > > >> > -- >> > >> >> > > >> > Dev mailing list - [email protected] - >> > >> >> > > >> > http://ml.dotclear.org/listinfo/dev >> > >> >> > > >> > >> > >> >> > > >> -- >> > >> >> > > >> Dev mailing list - [email protected] - >> > >> >> > > >> http://ml.dotclear.org/listinfo/dev >> > >> >> > > >> >> > >> >> > > > -- >> > >> >> > > > Dev mailing list - [email protected] - >> > >> >> > > http://ml.dotclear.org/listinfo/dev >> > >> >> > > -- >> > >> >> > > Dev mailing list - [email protected] - >> > >> >> > > http://ml.dotclear.org/listinfo/dev >> > >> >> > > >> > >> >> > >> > >> >> > >> > >> >> > >> > >> >> > -- >> > >> >> > Franck >> > >> >> > -- >> > >> >> > Dev mailing list - [email protected] - >> > >> >> > http://ml.dotclear.org/listinfo/dev >> > >> >> > >> > >> >> -- >> > >> >> Dev mailing list - [email protected] - >> > >> >> http://ml.dotclear.org/listinfo/dev >> > >> >> >> > >> > >> > >> > >> > >> -- >> > >> Dev mailing list - [email protected] - >> > >> http://ml.dotclear.org/listinfo/dev >> > >> >> > > >> > > >> > > >> > > -- >> > > Franck >> > > >> > >> > >> > >> > -- >> > Franck >> > -- >> > Dev mailing list - [email protected] - >> > http://ml.dotclear.org/listinfo/dev >> > >> -- >> Dev mailing list - [email protected] - >> http://ml.dotclear.org/listinfo/dev >> > > > > -- > Franck > -- Franck -- Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
