|
Message-ID: <00c101ce28d9$e3da9390$9b7a6fd5@pc> Date: Sun, 24 Mar 2013 23:51:55 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, <oss-security@...ts.openwall.com> Subject: XSS vulnerabilities in ZeroClipboard and multiple web applications Hello list! In February I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard and multiple web applications. This is additional information on this topic. XSS vulnerabilities in ZeroClipboard http://securityvulns.ru/docs29105.html XSS vulnerabilities in YAML, Multiproject for Trac, UserCollections for Piwigo, TAO and TableTools for DataTables for jQuery http://securityvulns.ru/docs29104.html XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS http://securityvulns.ru/docs29103.html SecurityVulns ID: 12910 CVE: CVE-2013-1808 During my conversation with old ZeroClipboard developer (Joseph Huckaby) and new developers (Jon Rohan and James Greene) last month, I've recommended them to prevent downloading of ZeroClipboard's files (swf and sources) from repository at Google code. To prevent spreading of vulnerable versions of software. After my second letter at 19th of February, Joseph agreed with me on this and gave full control for new developers to make necessary changes at http://code.google.com/p/zeroclipboard/. About added warnings and disallowing of downloads Joseph informed me and later James confirm it too. But it was not sufficient enough, since I found that it was possible to download files directly from repository (and there are many web sites which are referencing on these files). So I've suggested Jon and James to completely prevent downloading of all vulnerable files from old repository. After my letters from 3rd, 16th and 24th of March, they at last did it and made complete closure of old repository. XSS vulnerabilities in zClip and other web applications. In addition to all those web applications, which I've wrote earlier and hundreds of webapps on which I've referenced via google dorks, there are tens or hundreds additional vulnerable web applications with ZeroClipboard. These are such webapps, which have no swf of ZeroClipboard in their bundles, but referencing on it at their sites or in documentation. I have found many webapps with such approach (for different flash-files, like all those flash video players, about vulnerabilities in which I wrote) for last years and wrote about such case. E.g. in 2010 I've wrote about Blogumus - a WP-Cumulus fork for Blogger, where there was swf-file at the site, from which users can download last version or embed it from that site (like from CDN). There are such web developers, like developers of zClip and many other web applications, which are not bundling vulnerable swf of ZeroClipboard, but they referencing to it in old repository and asking all users to manually download last version of swf-file from repository (i.e. last vulnerable version). I've wrote to zClip developers about it at 6th of March, but they just ignored it. So to protect all future users of zClip and any other similar software, which are referencing to old repository at Google Code (with vulnerable versions of ZeroClipboard), and to force a fix to all such software, it was needed to close old repository completely. And today ZeroClipboard developers have done it. XSS (WASC-08): For zClip the path will be the next. XSS via id parameter and XSS via copying payload into clipboard (as described in my first advisory). http://path/js/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height All versions of zClip are referencing to vulnerable versions of ZeroClipboard. So all current users of zClip (including developer of zClip at their site) are using vulnerable swf-files and have XSS vulnerabilities at their sites. But since today all future users of zClip are protected. After I've forced developers of ZeroClipboard, it will prevent spreading of vulnerable versions of swf-files and will protect future users of all software (like zClip) from downloading vulnerable versions of ZeroClipboard. >From now all web developers and users need to download ZeroClipboard only from new repository (https://github.com/jonrohan/ZeroClipboard). Everyone who is using old versions of ZeroClipboard or software, which are bundled with old versions of it, needs to update to the last version 1.1.7 from new repository. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.