lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 02 Mar 2013 19:45:35 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: Henri Salo <henri@...v.fi>
Cc: jon@...rohan.me, full-disclosure@...ts.grok.org.uk,
	MustLive <mustlive@...security.com.ua>,
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: XSS vulnerabilities in em-shorty,
 RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/02/2013 10:17 AM, Henri Salo wrote:
> On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote:
>> I'm resending my letter from February 23, 2013 (since FD was not
>> working that day).
>> 
>> After my previous list of vulnerable software with
>> ZeroClipboard.swf, here is a list of software with
>> ZeroClipboard10.swf. These are Cross-Site Scripting
>> vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django 
>> and aCMS.
>> 
>> Earlier I've wrote about Cross-Site Scripting vulnerabilities in 
>> ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103).
>> I wrote that this is very widespread flash-file and it's placed
>> at tens of thousands of web sites. And it's used in hundreds of
>> web applications. Among them are em-shorty, RepRapCalculator,
>> Fulcrum (CMS), Django and aCMS. And there are many other
>> vulnerable web applications with ZeroClipboard10.swf (some of 
>> them also contain ZeroClipboard.swf).
> 
> So did you report this vulnerability to those projects? Even to
> security@ or similar address? I noticed this vulnerability from
> WordPress plugins. Did you report those? Did you ask CVE
> identifiers?

Please use CVE-2013-1808 for this issue. Added the author to the CC so
he's aware of it. Also thanks to Henri Salo who has taken on
coordinating this issue (it appears to affect quite a few things).

> -- Henri Salo



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMrlPAAoJEBYNRVNeJnmTdIcP/jCg7dnLg39HSNiFCpSUtp4m
I5kvJqyCcIEfVH7E6buHjN81tD8j4HTQBm89lxwD5E+Ukk0vwLrJ8hekEn10hY6A
Mhr1oaxM6RlRLYEkNLt9njnd1iyLW5Vt47SCuqv5p0EmFZ7Uy/2fdZMziIAUEuIM
kh2Si3097ntuZL+HagF6SQziiVIBIpLVI5qwCi4aULix949rVIHUhOFgP1AMTMKp
b64nSCGkxxd/hZ1j8qOTt/zSdkMwmRyIteP5UcJ2C8opRPU8TKR780kq7PyAPZhi
ZYPUhztgEnTKVbvtv8eZ5aS4IjVGZGNC4yF5+GOtCMs6OCToMW7WZ5STbCK1uR1n
1ArPFBYg4kK+ul33NYlUOJcdXbGoQE/ImIjh+jmzI4NjREwGGbBawICl3Q1GFvLd
+tBrKY8C4q9LDQzIR0ctkywkLi/6t95ds5iRzZhBL2V+4EjjmWDoo8Zyx+gQuQ4A
BTWsV5IdT9DIarIw7lW09DU2pGjkFm/y8mNBde2a5ZnSqZIsTBwCu2M2NhyfQ8vi
MQI4M/aGB8pG/DeGmaYNmQkYk4a/Hb8tyApSWLsVmrDQgpEpQ9Y9rrbuM+K6GspA
1MC2/bCZGYf3GM0EApGJY64UCE9s0qzGs0Sy3g5cUNFUsoDRrKPdxnkiA8rk1yY9
eMC+bdCYgeHd/CZwsMYp
=oHXG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ