Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26998
HistorySep 13, 2011 - 12:00 a.m.

Vulnerability in plugins for Typepad, RapidWeaver, Habari, DasBlo, eZ Publish, EE, Serendipity, Social Web CMS, PHP-Fusion, Magento and Sweetcron

2011-09-1300:00:00
vulners.com
39

Hello 3APA3A!

I want to warn you about Cross-Site Scripting vulnerability in multiple plugins for different engines (it's combinations of my three publications which I've made earlier at my site). In plugins for Typepad, RapidWeaver, Habari, DasBlo, eZ Publish, EE, Serendipity, Social Web CMS, PHP-Fusion, Magento and Sweetcron, which all are ports of WP-Cumulus. A lot of other such plugins for other engines can be vulnerable.

This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed in 2009 (http://securityvulns.com/Wdocument842.html). Because these plugins are using tagcloud.swf made by author of WP-Cumulus. About such vulnerabilities I wrote in 2009-2011, particularly about millions of flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my article XSS vulnerabilities in 34 millions flash files (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).


Affected products:

Vulnerable are all versions of widget Tumulus for Typepad. Note, that at his own site the author keeps file tagcloud-download.swf, which he recommends to rename on tagcloud.swf.

Vulnerable are all versions of WP-Cumulus for RapidWeaver.

HB-Cumulus for Habari version 1.4 and previous versions are vulnerable to XSS (and all versions are vulnerable to HTML Injection),

Vulnerable are all versions of Cumulus for DasBlog (old versions to XSS and all versions to HTML Injection).

Vulnerable is EZcumulus 1.0 for eZ Publish

Vulnerable are Simple Tags for Expression Engine version 1.6.3 and new versions (where support of this swf-file was added).

Vulnerable are Freetag for Serendipity - Freetag 3.28 and previous versions to HTML Injection and Freetag 3.21 and previous versions to XSS (in version 3.22 XSS was fixed after informing by Stefan Schurtz). Support of flash-file was added in version 2.103.

Vulnerable are all versions of Tag cloud for Social Web CMS.

Vulnerable are Animated tag cloud for PHP-Fusion version 1.4 and previous versions.

Vulnerable are 3D Advanced Tags Clouds for Magento version 2.0.0 and previous versions.

Vulnerable are all versions of Cumulus for Sweetcron.

Besides these ones and those which I've disclosed in 2009-2011, a lot of other such plugins for other engines can be vulnerable.


Details:

XSS (WASC-08):

http://site/path/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS. Also it's possible to conduct (like in WP-Cumulus) HTML Injection attack.

HTML Injection (WASC-12):

http://site/path/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E


Plugins with fixed version of swf-file:

Because in November 2009, after my informing, Roy Tanck (developer of WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's still possible to conduct HTML Injection attacks (for injecting arbitrary links) to all versions of this swf-file (which can be found under name tagcloud.swf and other names). Including fixed version of the swf-file, with fixed XSS hole.

So all those plugins, which developers fixed this vulnerability (after my informing or by informing from Roy or other people) by updating swf-file, are still vulnerable to HTML Injection.


Timeline:

2011.06.24 - disclosed at my site (about Tumulus).
2011.06.25 - informed developer of Tumulus.
2011.08.31 - disclosed at my site (about plugins for RapidWeaver, Habari, DasBlo, eZ Publish and EE).
2011.09.01 - disclosed at my site (about plugins for Serendipity, Social Web CMS, PHP-Fusion, Magento and Sweetcron).
2011.09.02 - started informing all developers of ten plugins.

I mentioned about this vulnerabilities at my site:
http://websecurity.com.ua/5240/
http://websecurity.com.ua/5353/
http://websecurity.com.ua/5356/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua