10 million XSS ! Thank you Santa.
2011/12/26 MustLive <[email protected]> > Hello list! > > Besides tens millions of vulnerable web sites with affected flash files and > vulnerable multiple plugins for different engines, which I've wrote about > earlier, there are a lot of other vulnerable plugins. Here are new ones > (some of them are vulnerable to two XSS holes). There are Cross-Site > Scripting vulnerabilities in plugins for engines MODx CMS, XOOPS, uCoz, > Magento and DSP CMS, which all are ports of WP-Cumulus. A lot of other such > plugins for other engines can be vulnerable. > > This XSS is similar to XSS vulnerability in WP-Cumulus, which I've > disclosed > in 2009 (http://securityvulns.com/Wdocument842.html). Because these > plugins > are using tagcloud.swf made by author of WP-Cumulus. About such > vulnerabilities I wrote in 2009-2011, particularly about millions of flash > files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my > article XSS vulnerabilities in 34 millions flash files > ( > http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html > ). > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are all versions of Tagcloud for MODx CMS. > > Vulnerable is Сumulus for XOOPS 1.0, which is also included in > ExtendedPackRU for XOOPS. > > Vulnerable are all versions of uCoz-Cumulus for uCoz. > > Vulnerable are all versions of Cumulus Tagcloud for Magento. > > Vulnerable are all versions of Сumulus for DSP CMS. > > Some of these plugins are vulnerable to one and some to two XSS holes - as > to first hole in WP-Cumulus, which I've disclosed in 2009, as to second > hole, which I've disclosed in 2011. > > Besides these ones and those which I've disclosed in 2009-2011, a lot of > other such plugins for other engines can be vulnerable. > > ---------- > Details: > ---------- > > XSS (WASC-08): > > Tagcloud for MODx CMS: > > > http://site/assets/files/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E > > Сumulus for XOOPS: > > > http://site/modules/cumulus/include/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E > > uCoz-Cumulus for uCoz: > > > http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E > > Cumulus Tagcloud for Magento: > > > http://site/frontend/tag/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E > > http://site/frontend/tag/tagcloud.swf?xmlpath=xss.xml > > http://site/frontend/tag/tagcloud.swf?xmlpath=http://site/xss.xml > > Via parameters mode and xmlpath. > > Сumulus for DSP CMS: > > > http://site/engine/tags/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert(document.cookie)%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E > > Code will execute after click. It's strictly social XSS > (http://websecurity.com.ua/5476/). Also it's possible to conduct (like in > WP-Cumulus) HTML Injection attack. > > ------------------------------------------------- > Plugins with fixed version of swf-file: > ------------------------------------------------- > > Because in November 2009, after my informing, Roy Tanck (developer of > WP-Cumulus) fixed only XSS vector, but not HTML Injection vector, it's > still > possible to conduct HTML Injection attacks (for injecting arbitrary links) > to all versions of this swf-file (which can be found under name > tagcloud.swf > and other names). Including fixed version of the swf-file, with fixed XSS > hole. > > So all those plugins, which developers fixed this vulnerability (after my > informing or by informing from Roy or other people) by updating swf-file, > are still vulnerable to HTML Injection. These five plugins are using > non-fixed version of swf-file. > > I mentioned about these vulnerabilities at my site: > http://websecurity.com.ua/5601/ > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
