lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 1 Dec 2012 20:25:32 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>, <submissions@...ketstormsecurity.org>
Subject: Cross-Site Scripting in Liberated Syndication

Hello list!

As you can see from my publications for last five years, I like holes which
are placed at hundreds or millions of web sites. Since my 2008's article XSS
vulnerabilities in 215000 flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2008-November/004655.html)
till last advisories about vulnerabilities in JW Player and other
flash-files, which are hosted at millions of sites. For example, any
vulnerability in WordPress (such as XSS in swfupload) are spread on more
58,4 million web sites (by wordpress.com statistics). And now I'll tell you
about vulnerability at one hosting platform which has potentially up to
million of web sites.

Here is Cross-Site Scripting vulnerability in libsyn platform (Liberated
Syndication). There are a lot of vulnerable web sites with this XSS on it
(including security sites).

According to Google (site:libsyn.com -site:www.libsyn.com):

At 27.09.2012 there were results: 1890000
At 01.12.2012 there were results: 2080000

It's about pages of all subdomains. But we can take some average number of
pages per site and find the number of sites - approximately it'll be from
100000 till 1 million web sites. The developers haven't fixed vulnerability
for more then two months, even I've informed them multiple times.

----------
Details:
----------

XSS (WASC-08):

Here is example at one web site at libsyn:

http://dyned.libsyn.com/webpage/category/%3Cbody%20onload=alert(document.cookie)%3E

------------
Timeline:
------------ 

2012.09.27 - Found vulnerability in platform and checked it at multiple
libsyn sites.
2012.09.27 - Informed developers via e-mail and contact form. Site's contact
form answered that they would reply shortly.
2012.10.13 - Still no answer. Resent letter via contact form and to e-mail
of domain owner.
2012.12.01 - Still the same. Disclosed to Full-disclosure.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists