ZeroClipboard 1.0.7 Cross Site Scripting

2013-02-19 / 2013-03-25
Credit: MustLive
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Hello list! These are Cross-Site Scripting vulnerabilities in ZeroClipboard. Last week I've made my research of these vulnerabilities and informed all developers (previous and current) of ZeroClipboard. When I've downloaded ZeroClipboard in September 2011, when I was writing my article Attacks via clipboard (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html), where I wrote about different attacks via clipboard, such as XSS, CAS (which leads to DoS or Code Execution), attacks on download managers which monitor clipboard (which leads to manual downloading of malware or even Automatic File Download), clipboard spamming, clipboard phishing and clipboard malwaring, I mentioned about it in the article. That my examples of JavaScript code (for IE) or ActionScript code (for all browses) can be used for such attacks, or to use ZeroClipboard. ------------------------- Affected products: ------------------------- Vulnerable are ZeroClipboard 1.0.7 and previous versions. This is concerning ZeroClipboard developed by original author (Joseph Huckaby). There are new versions, developed by new authors (Jon Rohan and James M. Greene), in which they became fixing these vulnerabilities - one XSS in 1.0.8 and another in 1.1.4 version. The last version ZeroClipboard 1.1.7 is not affected. Original version by Joseph has two flash-files (ZeroClipboard.swf and ZeroClipboard10.swf) and newer versions by Jon and James have only one flash-file (ZeroClipboard.swf). ---------- Details: ---------- In September 2011 I've not made any assessment of ZeroClipboard, so draw attention only on XSS via copying to buffer (it exists in test.html from archive of original ZeroClipboard, because flash-application doesn't sanitize input before copying into buffer, similarly as it can be used for above-mentioned XSS attacks via pasting). This XSS can be triggered at testing page, where information about copied text is shown and XSS occurs, or at pasting into html-forms (as described in my article). Then hip made his assessment of ZeroClipboard recently (http://packetstormsecurity.com/files/119968/WordPress-WP-Table-Reloaded-Cross-Site-Scripting.html). He draw attention only concerning this flash-file in WP-Table-Reloaded plugin for WordPress, but it's not just part of the plugin, it's third-party application, which is used in multiple web applications and at multiple sites (as standalone, as in different webapps). So I'm giving detailed information about ZeroClipboard. I suggest instead of hip's payload "a\%22))}catch(e){alert(1)}//" to use my variant - in this case there will be no cyclings of alertbox. http://site/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// Cross-Site Scripting (WASC-08): In WP-Table-Reloaded XSS works just with parameter id (this is modified version of swf-file, so there are different modification of it). In official version of ZeroClipboard it'll not work without "&width&height", so it's needed to set all parameters. http://site/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height And XSS via copying XSS payload into buffer, described above. This is very widespread flash-file (both versions), as you can find out via Google dorks. inurl:zeroclipboard.swf - about 80500 results inurl:zeroclipboard10.swf - about 9520 results Some of these zeroclipboard.swf can be newer versions (with fixed XSS), but tens of thousands of swf-files (and sites with them) are vulnerable. For last 14,5 years I saw ZeroClipboard and similar flash-files (for copying into clipboard) at a lot of web sites. From small sites, till large sites, such as slideshare.net (this is just one more hole to those multiple holes, which I've informed them about during last years, and they always don't care about security of their site - or ignored vulnerabilities, or hiddenly fixed one hole without any response - typical lame approach, so this hole is going directly to full disclosure). http://www.slideshare.net/javascripts/plugins/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

References:

http://websecurity.com.ua
http://seclists.org/oss-sec/2013/q1/552
http://seclists.org/oss-sec/2013/q1/729


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top