| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <009801ce75d4$290011b0$9b7a6fd5@pc> Date: Sun, 30 Jun 2013 23:55:08 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: Content Spoofing vulnerabilities in TinyMCE and WordPress Hello list! This are Content Spoofing vulnerabilities in TinyMCE and WordPress. Which I've disclosed on Wednesday. In 2011 I already wrote about Content Spoofing in Moxieplayer, when I wrote concerning multiple vulnerabilities in TinyMCE (http://securityvulns.ru/docs27349.html), which is a component of Media plugin for TinyMCE (it's a part of core of TinyMCE). This visual editor is bundled with hundreds of web applications, particularly with WordPress. This flash file is bundled with WP since version 3.3. ------------------------- Affected products: ------------------------- Vulnerable are versions TinyMCE 3.4b2 - 4.0b3. For the first vulnerability versions WordPress 3.3 - 3.4.2 are vulnerable. For the second vulnerability versions WordPress 3.3 - 3.5.1 are vulnerable. This hole was fixed in WordPress 3.5.2 (note that WP developers incorrectly called this CS hole as XSS in announcement at their site, at that in codex they wrote correctly). ---------- Details: ---------- Content Spoofing (WASC-12): If previous vulnerability, which I found in 2011, looked the next (since TinyMCE 3.4b2 and in version 3.4.7 it was fixed): http://site/moxieplayer.swf?url=http://site2/1.flv Then recently new vulnerability was found (by Wan Ikram), which allows to bypass protection and conduct CS attack: http://site/moxieplayer.swf#?url=http://site2/1.flv In June this vulnerability was fixed. Updated version of Moxieplayer is present in TinyMCE 4.0. In WordPress the attack with using of this flash-file looks the next. The first variant (WP 3.3 - 3.4.2): http://site/wp-includes/js/tinymce/plugins/media/moxieplayer.swf?url=http://site2/1.flv The second variant (WP 3.3 - 3.5.1): http://site/wp-includes/js/tinymce/plugins/media/moxieplayer.swf#?url=http://site2/1.flv ------------ Timeline: ------------ 2013.06.21 - released WP 3.5.2 with updated version of Moxieplayer. 2013.06.26 - disclosed at my site (http://websecurity.com.ua/6604/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists