ZeroClipbord.swf Cross Site Scripting / Path Disclosure

2013-04-09T00:00:00
ID PACKETSTORM:121174
Type packetstorm
Reporter MustLive
Modified 2013-04-09T00:00:00

Description

                                        
                                            `Hello list!  
  
These are Cross-Site Scripting and Full path disclosure vulnerabilities in   
multiple themes for WordPress (with ZeroClipboard.swf).  
  
Earlier I've wrote about Cross-Site Scripting vulnerabilities in   
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote   
that this is very widespread flash-file and it's placed at tens of thousands   
of web sites. And it's used in hundreds of web applications.  
  
After publishing this and two other advisories related to ZeroClipboard in   
February, I've published last month two new advisories (which I prepared in   
February). About vulnerabilities in WP plugins and in WP themes (with   
ZeroClipboard.swf).  
  
This flash-file is used in hundreds of themes for WordPress (including   
custom themes for different sites). Among them are Montezuma, Striking,   
Couponpress, Azolla, Black and White. And there are many other vulnerable   
themes for WP with ZeroClipboard.swf. Also there is one theme which also   
contains ZeroClipboard10.swf.  
  
SecurityVulns ID: 12910  
CVE: CVE-2013-1808  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are the next web applications (WordPress themes) with   
ZeroClipboard:  
  
All versions of Montezuma, Striking, Couponpress, Azolla, Black and White.  
  
Both XSS vulnerabilities in ZeroClipboard are fixed in the last version   
ZeroClipboard 1.1.7. All developers should update swf-file in their   
software. I wrote about developers who begun fixing these vulnerabilities in   
ZeroClipboard in their software   
(http://seclists.org/fulldisclosure/2013/Mar/207).  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
XSS via id parameter and XSS via copying payload into buffer (as described   
in previous advisory).  
  
http://site/wp-content/themes/montezuma/admin/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
http://site/wp-content/themes/striking/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
http://site/wp-content/themes/couponpress/template_couponpress/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
http://site/wp-content/themes/azolla/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
http://site/wp-content/themes/black-and-white/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
This is very widespread flash-file (both versions), as you can find out via   
Google dorks. If at searching by standard Goolge dork it's possible to find   
tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then   
at searching for themes for WordPress it's possible to find hundreds   
thousand of sites with these flash-files.  
  
inurl:zeroclipboard.swf inurl:/wp-content/themes/ - about 70200 (in   
February, now more)  
zeroclipboard.swf inurl:/wp-content/themes/ - about 85600 (in February, now   
more)  
  
Full path disclosure (WASC-13):  
  
All mentioned themes have FPD vulnerabilities in php-files (in index.php and   
others), which is typically for WP themes.  
  
http://site/wp-content/themes/montezuma/  
  
http://site/wp-content/themes/striking/  
  
http://site/wp-content/themes/couponpress/  
  
http://site/wp-content/themes/azolla/  
  
http://site/wp-content/themes/black-and-white/  
  
------------  
Timeline:  
------------   
  
2013.02.19 - after contacting with old and new developers of ZeroClipboard,   
I disclosed vulnerabilities in ZeroClipboard to the lists.  
2013.02 - in February I wrote two additional advisories about   
vulnerabilities in different web applications with ZeroClipboard to draw   
more attention to this issue concerned with hundreds of web applications.  
2013.03.28 - disclosed vulnerabilities in multiple themes for WordPress at   
my site (http://websecurity.com.ua/6401/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`