lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 20 Nov 2011 23:40:48 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: New XSS vulnerability in WP-Cumulus for WordPress
	and multiple web applications and millions web sites

Hello list!

I want to warn you about new Cross-Site Scripting vulnerability in
WP-Cumulus for WordPress and multiple web applications and millions web
sites.

Earlier I wrote about XSS vulnerability in WP-Cumulus, which I've disclosed
in 2009 (http://securityvulns.com/Wdocument842.html), and many other plugins
(and widgets and themes) for different engines, which are using tagcloud.swf
made by author of WP-Cumulus. About millions of flash files tagcloud.swf
which are vulnerable to XSS attacks I mentioned in my article XSS
vulnerabilities in 34 millions flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of WP-Cumulus. At that Roy Tanck's patch
(version of flash-file for WP-Cumulus 1.23) will work for this vulnerability
too, so in fixed versions of flash-file the XSS will not work, only HTML
Injection.

Also must be vulnerable Joomulus for Joomla, JVClouds3D for Joomla,
Blogumus, 3D Cloud for Joomla, Tagcloud for DLE, t3m_cumulus_tagcloud for
TYPO3, Cumulus for BlogEngine.NET, tagcloud for Kasseler CMS, 3D user cloud
for Joomla, Flash Tag Cloud for Blogsa and other ASP.NET engines, b-cumulus,
Cumulus for Drupal, sfWpCumulusPlugin for symfony, Flash Tag Cloud For MT 4,
MT-Cumulus for Movable Type, Tumulus for Typepad, WP-Cumulus for
RapidWeaver, HB-Cumulus for Habari, Cumulus for DasBlog, EZcumulus and eZ
Flash Tag Cloud for eZ Publish, Simple Tags for Expression Engine (version
1.6.3 and new versions, where support of this swf-file was added), Freetag
for Serendipity (of this flash-file was added in version 2.103), Tag cloud
for Social Web CMS, Animated tag cloud for PHP-Fusion, 3D Advanced Tags
Clouds for Magento, Cumulus for Sweetcron and other web applications with
this flash-file.

And also themes for engines, particularly for Drupal
(http://websecurity.com.ua/5407/), which are using this flash-file (I've
wrote earlier about five vulnerable themes for Drupal). As I mentioned
bellow, vulnerable are only web applications with new versions of this
flash-file (and a lot of web applications and sites are using exactly new
versions of it). But when web developers or admins of sites, which are using
old versions of swf-file (unaffected) will decided to update it (just "to
update" or to fix first XSS vulnerability, which can be done by updating to
fixed version from Roy Tanck), then they will become vulnerable to this
hole.

----------
Details:
----------

If previous vulnerability in tagcloud.swf concerned parameter mode, then new
vulnerability concerns parameter xmlpath.

XSS (WASC-08):

http://site/tagcloud.swf?xmlpath=xss.xml
http://site/tagcloud.swf?xmlpath=http://site/xss.xml

File xss.xml:

<tags>
<a href="javascript:alert(document.cookie)" style="font-size:+40pt">Click
me</a>
<a href="http://websecurity.com.ua" style="font-size:+40pt">Click me</a>
</tags>

Code will execute after click. It's strictly social XSS
(http://websecurity.com.ua/5476/). Also it's possible to conduct (like in
WP-Cumulus) HTML Injection attack.

The attack will work only in new versions of flash-file, where support of
parameter xmlpath was added. In old versions (not affected) in context menu
is mentioned "WP-Cumulus by Roy Tanck", and in new versions (affected)
mentioned "WP-Cumulus by Roy Tanck and Luke Morton". The attack will work
only when xml-file is placed at the same site (the path can be relative or
absolute). Extension of the file can be arbitrary.

------------
Timeline:
------------

2011.11.09 - found vulnerability.
2011.11.17 - disclosed at my site.
2011.11.19 - informed developer of WP-Cumulus. All developers of forks of
WP-Cumulus and developers of web applications, which are using this
flash-file, can read about this issue at my site and in security mailing
lists. In any case, the correct fix for first XSS hole (in links handling
algorithm) also fixes the second XSS hole, so after I've informed all
above-mentioned developers during 2009-2011, if they fixed first hole, then
they fixed the second one.

I mentioned about this vulnerability at my site:
http://websecurity.com.ua/5505/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ