full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] XSS vulnerabilities in

Re: [Full-disclosure] XSS vulnerabilities in 34 millions flash files

From: Jeff Williams <jeffwillis30_at_nospam>
Date: Mon Jan 11 2010 - 23:44:14 GMT
To: MustLive <mustlive@websecurity.com.ua>, full-disclosure@lists.grok.org.uk


Yo MustDie,

Post your shit here:
http://www.exploit-db.com/
They love XSS.

2010/1/11 MustLive <mustlive@websecurity.com.ua>

> Hello Full-Disclosure!
>
> Yesterday I wrote the article XSS vulnerabilities in 34 millions flash
> files
> (http://websecurity.com.ua/3842/), and here is English version of it.
>
> In December in my article XSS vulnerabilities in 8 millions flash files
> (http://websecurity.com.ua/3789/) I wrote, that there are up to 34000000
> of flashes tagcloud.swf in Internet which are potentially vulnerable to XSS
> attacks. Taking into account that people mostly didn't draw attention in
> previous article to my mentioning about another 34 millions of vulnerable
> flashes, then I decided to write another article about it.
>
> File tagcloud.swf was developed by author of plugin WP-Cumulus for
> WordPress
> (http://websecurity.com.ua/3665/) and it's delivered with this plugin for
> WordPress, and also with other plugins, particularly Joomulus
> (http://websecurity.com.ua/3801/) and JVClouds3D
> (http://websecurity.com.ua/3839/) for Joomla and Blogumus
> (http://websecurity.com.ua/3843/) for Blogger. Taking into account
> prevalence of this flash file, I'll note that it's most widespread flash
> file in Internet with XSS vulnerability.
>
> -------------------------------------
> Prevalence of the problem.
> -------------------------------------
>
> There are a lot of vulnerable tagcloud.swf files in Internet (according to
> Google):
>
> http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf
>
> If at 18.12.2009 there were about 34000000 results, then now there are
> about
> 32500000 results. And these are only those flash files, which were indexed
> by Google, and actually there can be much more of them.
>
> So there are about 32,5 millions of sites with file tagcloud.swf which are
> vulnerable to XSS and HTML Injection attacks.
>
> Among them there are about 273000 gov-sites
> (
> http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf+inurl:gov&filter=0
> )
> which are vulnerable to XSS and HTML Injection attacks.
>
> ----------------------------------
> Vulnerabilities in swf-file.
> ----------------------------------
>
> File tagcloud.swf is vulnerable to XSS and HTML Injection attacks via
> parameter tagcloud.
>
> XSS:
>
>
> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E<http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27javascript:alert%28document.cookie%29%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E>
>
> Code will execute after click. It's strictly social XSS.
>
> HTML Injection:
>
>
> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E<http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=%27http://websecurity.com.ua%27+style=%27font-size:+40pt%27%3EClick%20me%3C/a%3E%3C/tags%3E>
>
> HTML Injection attack can be conducted particularly on those flash files
> which have protection (in flash files or via WAF) against javascript and
> vbscript URI in parameter tagcloud.
>
> ----------------------------------------
> Examples of vulnerable sites.
> ----------------------------------------
>
> I gave examples of vulnerable sites with this swf-file in post XSS
> vulnerabilities in tagcloud.swf at gov and gov.ua
> (http://websecurity.com.ua/3835/).
>
> So for flash developers it's better to attend to security of their flash
> files. And for owners of sites with vulnerable flashes (particularly
> tagcloud.swf) it's needed either to fix them by themselves, or to turn to
> their developers.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/