Firefox automatically filters unsafe XSS and there are reports this doesn't work in google chrome? >From what i understand the implication of this vuln are purely social, no maliciousness possible?
On Tue, Jan 12, 2010 at 1:44 AM, Jeff Williams <jeffwilli...@gmail.com> wrote: > Yo MustDie, > > Post your shit here: > http://www.exploit-db.com/ > They love XSS. > > > > 2010/1/11 MustLive <mustl...@websecurity.com.ua> >> >> Hello Full-Disclosure! >> >> Yesterday I wrote the article XSS vulnerabilities in 34 millions flash >> files >> (http://websecurity.com.ua/3842/), and here is English version of it. >> >> In December in my article XSS vulnerabilities in 8 millions flash files >> (http://websecurity.com.ua/3789/) I wrote, that there are up to 34000000 >> of flashes tagcloud.swf in Internet which are potentially vulnerable to >> XSS >> attacks. Taking into account that people mostly didn't draw attention in >> previous article to my mentioning about another 34 millions of vulnerable >> flashes, then I decided to write another article about it. >> >> File tagcloud.swf was developed by author of plugin WP-Cumulus for >> WordPress >> (http://websecurity.com.ua/3665/) and it's delivered with this plugin for >> WordPress, and also with other plugins, particularly Joomulus >> (http://websecurity.com.ua/3801/) and JVClouds3D >> (http://websecurity.com.ua/3839/) for Joomla and Blogumus >> (http://websecurity.com.ua/3843/) for Blogger. Taking into account >> prevalence of this flash file, I'll note that it's most widespread flash >> file in Internet with XSS vulnerability. >> >> ------------------------------------- >> Prevalence of the problem. >> ------------------------------------- >> >> There are a lot of vulnerable tagcloud.swf files in Internet (according to >> Google): >> >> http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf >> >> If at 18.12.2009 there were about 34000000 results, then now there are >> about >> 32500000 results. And these are only those flash files, which were indexed >> by Google, and actually there can be much more of them. >> >> So there are about 32,5 millions of sites with file tagcloud.swf which are >> vulnerable to XSS and HTML Injection attacks. >> >> Among them there are about 273000 gov-sites >> >> (http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf+inurl:gov&filter=0) >> which are vulnerable to XSS and HTML Injection attacks. >> >> ---------------------------------- >> Vulnerabilities in swf-file. >> ---------------------------------- >> >> File tagcloud.swf is vulnerable to XSS and HTML Injection attacks via >> parameter tagcloud. >> >> XSS: >> >> >> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E >> >> Code will execute after click. It's strictly social XSS. >> >> HTML Injection: >> >> >> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E >> >> HTML Injection attack can be conducted particularly on those flash files >> which have protection (in flash files or via WAF) against javascript and >> vbscript URI in parameter tagcloud. >> >> ---------------------------------------- >> Examples of vulnerable sites. >> ---------------------------------------- >> >> I gave examples of vulnerable sites with this swf-file in post XSS >> vulnerabilities in tagcloud.swf at gov and gov.ua >> (http://websecurity.com.ua/3835/). >> >> So for flash developers it's better to attend to security of their flash >> files. And for owners of sites with vulnerable flashes (particularly >> tagcloud.swf) it's needed either to fix them by themselves, or to turn to >> their developers. >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
