Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29105
HistoryFeb 24, 2013 - 12:00 a.m.

XSS vulnerabilities in ZeroClipboard

2013-02-2400:00:00
vulners.com
2449

Hello 3APA3A!

These are Cross-Site Scripting vulnerabilities in ZeroClipboard.

Last week I've made my research of these vulnerabilities and informed all developers (previous and current) of ZeroClipboard.

When I've downloaded ZeroClipboard in September 2011, when I was writing my article Attacks via clipboard (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html), where I wrote about different attacks via clipboard, such as XSS, CAS (which leads to DoS or Code Execution), attacks on download managers which monitor clipboard (which leads to manual downloading of malware or even Automatic File Download), clipboard spamming, clipboard phishing and clipboard malwaring, I mentioned about it in the article. That my examples of JavaScript code (for IE) or ActionScript code (for all browses) can be used for such attacks, or to use ZeroClipboard.


Affected products:

Vulnerable are ZeroClipboard 1.0.7 and previous versions. This is concerning ZeroClipboard developed by original author (Joseph Huckaby). There are new versions, developed by new authors (Jon Rohan and James M. Greene), in which they became fixing these vulnerabilities - one XSS in 1.0.8 and another in 1.1.4 version. The last version ZeroClipboard 1.1.7 is not affected.

Original version by Joseph has two flash-files (ZeroClipboard.swf and ZeroClipboard10.swf) and newer versions by Jon and James have only one flash-file (ZeroClipboard.swf).


Details:

In September 2011 I've not made any assessment of ZeroClipboard, so draw attention only on XSS via copying to buffer (it exists in test.html from archive of original ZeroClipboard, because flash-application doesn't sanitize input before copying into buffer, similarly as it can be used for above-mentioned XSS attacks via pasting). This XSS can be triggered at testing page, where information about copied text is shown and XSS occurs, or at pasting into html-forms (as described in my article).

Then hip made his assessment of ZeroClipboard recently (http://packetstormsecurity.com/files/119968/WordPress-WP-Table-Reloaded-Cross-Site-Scripting.html). He draw attention only concerning this flash-file in WP-Table-Reloaded plugin for WordPress, but it's not just part of the plugin, it's third-party application, which is used in multiple web applications and at multiple sites (as standalone, as in different webapps). So I'm giving detailed information about ZeroClipboard.

I suggest instead of hip's payload "a\%22))}catch(e){alert(1)}//" to use my variant - in this case there will be no cyclings of alertbox.

http://site/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

Cross-Site Scripting (WASC-08):

In WP-Table-Reloaded XSS works just with parameter id (this is modified version of swf-file, so there are different modification of it). In official version of ZeroClipboard it'll not work without "&width&height", so it's needed to set all parameters.

http://site/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

And XSS via copying XSS payload into buffer, described above.

This is very widespread flash-file (both versions), as you can find out via Google dorks.

inurl:zeroclipboard.swf - about 80500 results
inurl:zeroclipboard10.swf - about 9520 results

Some of these zeroclipboard.swf can be newer versions (with fixed XSS), but tens of thousands of swf-files (and sites with them) are vulnerable. For last 14,5 years I saw ZeroClipboard and similar flash-files (for copying into clipboard) at a lot of web sites. From small sites, till large sites, such as slideshare.net (this is just one more hole to those multiple holes, which I've informed them about during last years, and they always don't care about security of their site - or ignored vulnerabilities, or hiddenly fixed one hole without any response - typical lame approach, so this hole is going directly to full disclosure).

http://www.slideshare.net/javascripts/plugins/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua