Re: XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/02/2013 10:17 AM, Henri Salo wrote:
> On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote:
> > I'm resending my letter from February 23, 2013 (since FD was not
> > working that day).
> >
> > After my previous list of vulnerable software with
> > ZeroClipboard.swf, here is a list of software with
> > ZeroClipboard10.swf. These are Cross-Site Scripting
> > vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django 
> > and aCMS.
> >
> > Earlier I've wrote about Cross-Site Scripting vulnerabilities in 
> > ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103).
> > I wrote that this is very widespread flash-file and it's placed
> > at tens of thousands of web sites. And it's used in hundreds of
> > web applications. Among them are em-shorty, RepRapCalculator,
> > Fulcrum (CMS), Django and aCMS. And there are many other
> > vulnerable web applications with ZeroClipboard10.swf (some of 
> > them also contain ZeroClipboard.swf).
>
> So did you report this vulnerability to those projects? Even to
> security@ or similar address? I noticed this vulnerability from
> WordPress plugins. Did you report those? Did you ask CVE
> identifiers?

Please use CVE-2013-1808 for this issue. Added the author to the CC so
he's aware of it. Also thanks to Henri Salo who has taken on
coordinating this issue (it appears to affect quite a few things).

> -- Henri Salo



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMrlPAAoJEBYNRVNeJnmTdIcP/jCg7dnLg39HSNiFCpSUtp4m
I5kvJqyCcIEfVH7E6buHjN81tD8j4HTQBm89lxwD5E+Ukk0vwLrJ8hekEn10hY6A
Mhr1oaxM6RlRLYEkNLt9njnd1iyLW5Vt47SCuqv5p0EmFZ7Uy/2fdZMziIAUEuIM
kh2Si3097ntuZL+HagF6SQziiVIBIpLVI5qwCi4aULix949rVIHUhOFgP1AMTMKp
b64nSCGkxxd/hZ1j8qOTt/zSdkMwmRyIteP5UcJ2C8opRPU8TKR780kq7PyAPZhi
ZYPUhztgEnTKVbvtv8eZ5aS4IjVGZGNC4yF5+GOtCMs6OCToMW7WZ5STbCK1uR1n
1ArPFBYg4kK+ul33NYlUOJcdXbGoQE/ImIjh+jmzI4NjREwGGbBawICl3Q1GFvLd
+tBrKY8C4q9LDQzIR0ctkywkLi/6t95ds5iRzZhBL2V+4EjjmWDoo8Zyx+gQuQ4A
BTWsV5IdT9DIarIw7lW09DU2pGjkFm/y8mNBde2a5ZnSqZIsTBwCu2M2NhyfQ8vi
MQI4M/aGB8pG/DeGmaYNmQkYk4a/Hb8tyApSWLsVmrDQgpEpQ9Y9rrbuM+K6GspA
1MC2/bCZGYf3GM0EApGJY64UCE9s0qzGs0Sy3g5cUNFUsoDRrKPdxnkiA8rk1yY9
eMC+bdCYgeHd/CZwsMYp
=oHXG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/