lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <73e837291001121240p97e0a23hfa4abe57422e613c@mail.gmail.com>
Date: Tue, 12 Jan 2010 21:40:58 +0100
From: Michele Orru <antisnatchor@...il.com>
To: Jeff Williams <jeffwillis30@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua>
Subject: Re: XSS vulnerabilities in 34 millions flash files

@Jeff
Of course they like XSS: the DB maintained by muts et al. is the
"prosecution" of milw0rm, since
str0ke gives up to mantain it.

I remember that str0ke didn't allowed to publish advisories ONLY
RELATED to xss (especially reflected ones, as they
are so common), but by the way I think is OK to publish there even the
most simple reflected XSS, especially if
is afflicting world used web-based products.

@MustLive
I see that people doesn't like your posts here on bugtraq: just try to
be more clear on your posts.
XSS vulnerabilities in FLASH files have been researched from many
years, and with a tool like
SWFintruder is so easy to find them: your post is not something new.
Is enough to take the Flash files you mentioned (used by joomal or
whatever), find the XSS, and then make a google search to see how many
sites are using
the vulnerable swf.

Interesting to know how many are vulnerable, but absolutely NOT SOMETHING NEW.

Cheers

Michele "antisnatchor" Orru'
http://antisnatchor.com

On Tue, Jan 12, 2010 at 12:44 AM, Jeff Williams <jeffwillis30@...il.com> wrote:
> Yo MustDie,
>
> Post your shit here:
> http://www.exploit-db.com/
> They love XSS.
>
>
>
> 2010/1/11 MustLive <mustlive@...security.com.ua>
>>
>> Hello Full-Disclosure!
>>
>> Yesterday I wrote the article XSS vulnerabilities in 34 millions flash
>> files
>> (http://websecurity.com.ua/3842/), and here is English version of it.
>>
>> In December in my article XSS vulnerabilities in 8 millions flash files
>> (http://websecurity.com.ua/3789/) I wrote, that there are up to 34000000
>> of flashes tagcloud.swf in Internet which are potentially vulnerable to
>> XSS
>> attacks. Taking into account that people mostly didn't draw attention in
>> previous article to my mentioning about another 34 millions of vulnerable
>> flashes, then I decided to write another article about it.
>>
>> File tagcloud.swf was developed by author of plugin WP-Cumulus for
>> WordPress
>> (http://websecurity.com.ua/3665/) and it's delivered with this plugin for
>> WordPress, and also with other plugins, particularly Joomulus
>> (http://websecurity.com.ua/3801/) and JVClouds3D
>> (http://websecurity.com.ua/3839/) for Joomla and Blogumus
>> (http://websecurity.com.ua/3843/) for Blogger. Taking into account
>> prevalence of this flash file, I'll note that it's most widespread flash
>> file in Internet with XSS vulnerability.
>>
>> -------------------------------------
>> Prevalence of the problem.
>> -------------------------------------
>>
>> There are a lot of vulnerable tagcloud.swf files in Internet (according to
>> Google):
>>
>> http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf
>>
>> If at 18.12.2009 there were about 34000000 results, then now there are
>> about
>> 32500000 results. And these are only those flash files, which were indexed
>> by Google, and actually there can be much more of them.
>>
>> So there are about 32,5 millions of sites with file tagcloud.swf which are
>> vulnerable to XSS and HTML Injection attacks.
>>
>> Among them there are about 273000 gov-sites
>>
>> (http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf+inurl:gov&filter=0)
>> which are vulnerable to XSS and HTML Injection attacks.
>>
>> ----------------------------------
>> Vulnerabilities in swf-file.
>> ----------------------------------
>>
>> File tagcloud.swf is vulnerable to XSS and HTML Injection attacks via
>> parameter tagcloud.
>>
>> XSS:
>>
>>
>> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>>
>> Code will execute after click. It's strictly social XSS.
>>
>> HTML Injection:
>>
>>
>> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>>
>> HTML Injection attack can be conducted particularly on those flash files
>> which have protection (in flash files or via WAF) against javascript and
>> vbscript URI in parameter tagcloud.
>>
>> ----------------------------------------
>> Examples of vulnerable sites.
>> ----------------------------------------
>>
>> I gave examples of vulnerable sites with this swf-file in post XSS
>> vulnerabilities in tagcloud.swf at gov and gov.ua
>> (http://websecurity.com.ua/3835/).
>>
>> So for flash developers it's better to attend to security of their flash
>> files. And for owners of sites with vulnerable flashes (particularly
>> tagcloud.swf) it's needed either to fix them by themselves, or to turn to
>> their developers.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ