lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <00e901cc70c1$c035c490$9b7a6fd5@ml>
Date: Sun, 11 Sep 2011 23:30:03 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerability in plugins for RapidWeaver, Habari,
	DasBlo, eZ Publish, EE, Serendipity, Social Web CMS,
	PHP-Fusion, Magento and Sweetcron

Hello list!

I want to warn you about Cross-Site Scripting vulnerability in multiple 
plugins for different engines (it's combinations of my two publications 
which I've made last week at my site). In plugins for RapidWeaver, Habari, 
DasBlo, eZ Publish, EE, Serendipity, Social Web CMS, PHP-Fusion, Magento and 
Sweetcron, which all are ports of WP-Cumulus. A lot of other such plugins 
for other engines can be vulnerable.

This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed 
in 2009 (http://securityvulns.com/Wdocument842.html). Because these plugins 
are using tagcloud.swf made by author of WP-Cumulus. About such 
vulnerabilities I wrote in 2009-2011, particularly about millions of flash 
files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my 
article XSS vulnerabilities in 34 millions flash files 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of WP-Cumulus for RapidWeaver.

HB-Cumulus for Habari version 1.4 and previous versions are vulnerable to 
XSS (and all versions are vulnerable to HTML Injection),

Vulnerable are all versions of Cumulus for DasBlog (old versions to XSS and 
all versions to HTML Injection).

Vulnerable is EZcumulus 1.0 for eZ Publish

Vulnerable are Simple Tags for Expression Engine version 1.6.3 and new 
versions (where support of this swf-file was added).

Vulnerable are Freetag for Serendipity - Freetag 3.28 and previous versions 
to HTML Injection and Freetag 3.21 and previous versions to XSS (in version 
3.22 XSS was fixed after informing by Stefan Schurtz). Support of flash-file 
was added in version 2.103.

Vulnerable are all versions of Tag cloud for Social Web CMS.

Vulnerable are Animated tag cloud for PHP-Fusion version 1.4 and previous 
versions.

Vulnerable are 3D Advanced Tags Clouds for Magento version 2.0.0 and 
previous versions.

Vulnerable are all versions of Cumulus for Sweetcron.

Besides these ones and those which I've disclosed in 2009-2011, a lot of 
other such plugins for other engines can be vulnerable.

----------
Details:
----------

XSS (WASC-08):

http://site/path/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS. Also it's possible 
to conduct (like in WP-Cumulus) HTML Injection attack.

HTML Injection (WASC-12):

http://site/path/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

-------------------------------------------------
Plugins with fixed version of swf-file:
-------------------------------------------------

Because in November 2009, after my informing, Roy Tanck (developer of 
WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's still 
possible to conduct HTML Injection attacks (for injecting arbitrary links) 
to all versions of this swf-file (which can be found under name tagcloud.swf 
and other names). Including fixed version of the swf-file, with fixed XSS 
hole.

So all those plugins, which developers fixed this vulnerability (after my 
informing or by informing from Roy or other people) by updating swf-file, 
are still vulnerable to HTML Injection.

------------
Timeline:
------------

2011.08.31 - disclosed at my site (about plugins for RapidWeaver, Habari, 
DasBlo, eZ Publish and EE).
2011.09.01 - disclosed at my site (about plugins for Serendipity, Social Web 
CMS, PHP-Fusion, Magento and Sweetcron).
2011.09.02 - started informing all developers of ten plugins.

I mentioned about this vulnerabilities at my site:
http://websecurity.com.ua/5240/
http://websecurity.com.ua/5353/
http://websecurity.com.ua/5356/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ