Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ZeroClipboard 1.0.7 Cross Site Scripting

🗓️ 18 Feb 2013 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

ZeroClipboard 1.0.7 Cross Site Scripting vulnerabilities in flash-files, affecting multiple web applications and sites. XSS via copying to buffer, XSS payload into buffer, and XSS in WP-Table-Reloaded plugin

Code
`Hello list!  
  
These are Cross-Site Scripting vulnerabilities in ZeroClipboard.  
  
Last week I've made my research of these vulnerabilities and informed all  
developers (previous and current) of ZeroClipboard.  
  
When I've downloaded ZeroClipboard in September 2011, when I was writing my   
article Attacks via clipboard  
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html),   
where I wrote about different attacks via clipboard, such as XSS, CAS (which   
leads to DoS or Code Execution), attacks on download managers which monitor   
clipboard (which leads to manual downloading of malware or even Automatic   
File Download), clipboard spamming, clipboard phishing and clipboard   
malwaring, I mentioned about it in the article. That my examples of   
JavaScript code (for IE) or ActionScript code (for all browses) can be used   
for such attacks, or to use ZeroClipboard.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are ZeroClipboard 1.0.7 and previous versions. This is concerning  
ZeroClipboard developed by original author (Joseph Huckaby). There are new  
versions, developed by new authors (Jon Rohan and James M. Greene), in which  
they became fixing these vulnerabilities - one XSS in 1.0.8 and another in  
1.1.4 version. The last version ZeroClipboard 1.1.7 is not affected.  
  
Original version by Joseph has two flash-files (ZeroClipboard.swf and  
ZeroClipboard10.swf) and newer versions by Jon and James have only one  
flash-file (ZeroClipboard.swf).  
  
----------  
Details:  
----------  
  
In September 2011 I've not made any assessment of ZeroClipboard, so draw  
attention only on XSS via copying to buffer (it exists in test.html from  
archive of original ZeroClipboard, because flash-application doesn't  
sanitize input before copying into buffer, similarly as it can be used for  
above-mentioned XSS attacks via pasting). This XSS can be triggered at  
testing page, where information about copied text is shown and XSS occurs,  
or at pasting into html-forms (as described in my article).  
  
Then hip made his assessment of ZeroClipboard recently  
(http://packetstormsecurity.com/files/119968/WordPress-WP-Table-Reloaded-Cross-Site-Scripting.html).  
He draw attention only concerning this flash-file in WP-Table-Reloaded  
plugin for WordPress, but it's not just part of the plugin, it's third-party  
application, which is used in multiple web applications and at multiple  
sites (as standalone, as in different webapps). So I'm giving detailed  
information about ZeroClipboard.  
  
I suggest instead of hip's payload "a\%22))}catch(e){alert(1)}//" to use my  
variant - in this case there will be no cyclings of alertbox.  
  
http://site/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//  
  
Cross-Site Scripting (WASC-08):  
  
In WP-Table-Reloaded XSS works just with parameter id (this is modified  
version of swf-file, so there are different modification of it). In official  
version of ZeroClipboard it'll not work without "&width&height", so it's  
needed to set all parameters.  
  
http://site/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
And XSS via copying XSS payload into buffer, described above.  
  
This is very widespread flash-file (both versions), as you can find out via  
Google dorks.  
  
inurl:zeroclipboard.swf - about 80500 results  
inurl:zeroclipboard10.swf - about 9520 results  
  
Some of these zeroclipboard.swf can be newer versions (with fixed XSS), but  
tens of thousands of swf-files (and sites with them) are vulnerable. For  
last 14,5 years I saw ZeroClipboard and similar flash-files (for copying  
into clipboard) at a lot of web sites. From small sites, till large sites,  
such as slideshare.net (this is just one more hole to those multiple holes,  
which I've informed them about during last years, and they always don't care  
about security of their site - or ignored vulnerabilities, or hiddenly fixed  
one hole without any response - typical lame approach, so this hole is going  
directly to full disclosure).  
  
http://www.slideshare.net/javascripts/plugins/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Feb 2013 00:00Current
zeroclipboardcross-site scriptingflash-filesxsswp-table-reloadedvulnerabilitiesbufferweb applicationsswf-filesgoogle dorks
29