Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 02 Mar 2013 19:45:35 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/02/2013 10:17 AM, Henri Salo wrote:
On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote:
I'm resending my letter from February 23, 2013 (since FD was not
working that day).

After my previous list of vulnerable software with
ZeroClipboard.swf, here is a list of software with
ZeroClipboard10.swf. These are Cross-Site Scripting
vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django 
and aCMS.

Earlier I've wrote about Cross-Site Scripting vulnerabilities in 
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103).
I wrote that this is very widespread flash-file and it's placed
at tens of thousands of web sites. And it's used in hundreds of
web applications. Among them are em-shorty, RepRapCalculator,
Fulcrum (CMS), Django and aCMS. And there are many other
vulnerable web applications with ZeroClipboard10.swf (some of 
them also contain ZeroClipboard.swf).

So did you report this vulnerability to those projects? Even to
security@ or similar address? I noticed this vulnerability from
WordPress plugins. Did you report those? Did you ask CVE
identifiers?

Please use CVE-2013-1808 for this issue. Added the author to the CC so
he's aware of it. Also thanks to Henri Salo who has taken on
coordinating this issue (it appears to affect quite a few things).

-- Henri Salo



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMrlPAAoJEBYNRVNeJnmTdIcP/jCg7dnLg39HSNiFCpSUtp4m
I5kvJqyCcIEfVH7E6buHjN81tD8j4HTQBm89lxwD5E+Ukk0vwLrJ8hekEn10hY6A
Mhr1oaxM6RlRLYEkNLt9njnd1iyLW5Vt47SCuqv5p0EmFZ7Uy/2fdZMziIAUEuIM
kh2Si3097ntuZL+HagF6SQziiVIBIpLVI5qwCi4aULix949rVIHUhOFgP1AMTMKp
b64nSCGkxxd/hZ1j8qOTt/zSdkMwmRyIteP5UcJ2C8opRPU8TKR780kq7PyAPZhi
ZYPUhztgEnTKVbvtv8eZ5aS4IjVGZGNC4yF5+GOtCMs6OCToMW7WZ5STbCK1uR1n
1ArPFBYg4kK+ul33NYlUOJcdXbGoQE/ImIjh+jmzI4NjREwGGbBawICl3Q1GFvLd
+tBrKY8C4q9LDQzIR0ctkywkLi/6t95ds5iRzZhBL2V+4EjjmWDoo8Zyx+gQuQ4A
BTWsV5IdT9DIarIw7lW09DU2pGjkFm/y8mNBde2a5ZnSqZIsTBwCu2M2NhyfQ8vi
MQI4M/aGB8pG/DeGmaYNmQkYk4a/Hb8tyApSWLsVmrDQgpEpQ9Y9rrbuM+K6GspA
1MC2/bCZGYf3GM0EApGJY64UCE9s0qzGs0Sy3g5cUNFUsoDRrKPdxnkiA8rk1yY9
eMC+bdCYgeHd/CZwsMYp
=oHXG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault