| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jan 2010 21:40:58 +0100 From: Michele Orru <antisnatchor@...il.com> To: Jeff Williams <jeffwillis30@...il.com> Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua> Subject: Re: XSS vulnerabilities in 34 millions flash files @Jeff Of course they like XSS: the DB maintained by muts et al. is the "prosecution" of milw0rm, since str0ke gives up to mantain it. I remember that str0ke didn't allowed to publish advisories ONLY RELATED to xss (especially reflected ones, as they are so common), but by the way I think is OK to publish there even the most simple reflected XSS, especially if is afflicting world used web-based products. @MustLive I see that people doesn't like your posts here on bugtraq: just try to be more clear on your posts. XSS vulnerabilities in FLASH files have been researched from many years, and with a tool like SWFintruder is so easy to find them: your post is not something new. Is enough to take the Flash files you mentioned (used by joomal or whatever), find the XSS, and then make a google search to see how many sites are using the vulnerable swf. Interesting to know how many are vulnerable, but absolutely NOT SOMETHING NEW. Cheers Michele "antisnatchor" Orru' http://antisnatchor.com On Tue, Jan 12, 2010 at 12:44 AM, Jeff Williams <jeffwillis30@...il.com> wrote: > Yo MustDie, > > Post your shit here: > http://www.exploit-db.com/ > They love XSS. > > > > 2010/1/11 MustLive <mustlive@...security.com.ua> >> >> Hello Full-Disclosure! >> >> Yesterday I wrote the article XSS vulnerabilities in 34 millions flash >> files >> (http://websecurity.com.ua/3842/), and here is English version of it. >> >> In December in my article XSS vulnerabilities in 8 millions flash files >> (http://websecurity.com.ua/3789/) I wrote, that there are up to 34000000 >> of flashes tagcloud.swf in Internet which are potentially vulnerable to >> XSS >> attacks. Taking into account that people mostly didn't draw attention in >> previous article to my mentioning about another 34 millions of vulnerable >> flashes, then I decided to write another article about it. >> >> File tagcloud.swf was developed by author of plugin WP-Cumulus for >> WordPress >> (http://websecurity.com.ua/3665/) and it's delivered with this plugin for >> WordPress, and also with other plugins, particularly Joomulus >> (http://websecurity.com.ua/3801/) and JVClouds3D >> (http://websecurity.com.ua/3839/) for Joomla and Blogumus >> (http://websecurity.com.ua/3843/) for Blogger. Taking into account >> prevalence of this flash file, I'll note that it's most widespread flash >> file in Internet with XSS vulnerability. >> >> ------------------------------------- >> Prevalence of the problem. >> ------------------------------------- >> >> There are a lot of vulnerable tagcloud.swf files in Internet (according to >> Google): >> >> http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf >> >> If at 18.12.2009 there were about 34000000 results, then now there are >> about >> 32500000 results. And these are only those flash files, which were indexed >> by Google, and actually there can be much more of them. >> >> So there are about 32,5 millions of sites with file tagcloud.swf which are >> vulnerable to XSS and HTML Injection attacks. >> >> Among them there are about 273000 gov-sites >> >> (http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf+inurl:gov&filter=0) >> which are vulnerable to XSS and HTML Injection attacks. >> >> ---------------------------------- >> Vulnerabilities in swf-file. >> ---------------------------------- >> >> File tagcloud.swf is vulnerable to XSS and HTML Injection attacks via >> parameter tagcloud. >> >> XSS: >> >> >> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E >> >> Code will execute after click. It's strictly social XSS. >> >> HTML Injection: >> >> >> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E >> >> HTML Injection attack can be conducted particularly on those flash files >> which have protection (in flash files or via WAF) against javascript and >> vbscript URI in parameter tagcloud. >> >> ---------------------------------------- >> Examples of vulnerable sites. >> ---------------------------------------- >> >> I gave examples of vulnerable sites with this swf-file in post XSS >> vulnerabilities in tagcloud.swf at gov and gov.ua >> (http://websecurity.com.ua/3835/). >> >> So for flash developers it's better to attend to security of their flash >> files. And for owners of sites with vulnerable flashes (particularly >> tagcloud.swf) it's needed either to fix them by themselves, or to turn to >> their developers. >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists