full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] XSS vulnerabilities in

Re: [Full-disclosure] XSS vulnerabilities in 34 millions flash files

From: Marko Jakovljevic <wizardx86_at_nospam>
Date: Tue Jan 12 2010 - 16:56:53 GMT
To: full-disclosure@lists.grok.org.uk


Firefox automatically filters unsafe XSS and there are reports this doesn't work in google chrome?
>From what i understand the implication of this vuln are purely social,
no maliciousness possible?

On Tue, Jan 12, 2010 at 1:44 AM, Jeff Williams <jeffwillis30@gmail.com> wrote:
> Yo MustDie,
>
> Post your shit here:
> http://www.exploit-db.com/
> They love XSS.
>
>
>
> 2010/1/11 MustLive <mustlive@websecurity.com.ua>
>>
>> Hello Full-Disclosure!
>>
>> Yesterday I wrote the article XSS vulnerabilities in 34 millions flash
>> files
>> (http://websecurity.com.ua/3842/), and here is English version of it.
>>
>> In December in my article XSS vulnerabilities in 8 millions flash files
>> (http://websecurity.com.ua/3789/) I wrote, that there are up to 34000000
>> of flashes tagcloud.swf in Internet which are potentially vulnerable to
>> XSS
>> attacks. Taking into account that people mostly didn't draw attention in
>> previous article to my mentioning about another 34 millions of vulnerable
>> flashes, then I decided to write another article about it.
>>
>> File tagcloud.swf was developed by author of plugin WP-Cumulus for
>> WordPress
>> (http://websecurity.com.ua/3665/) and it's delivered with this plugin for
>> WordPress, and also with other plugins, particularly Joomulus
>> (http://websecurity.com.ua/3801/) and JVClouds3D
>> (http://websecurity.com.ua/3839/) for Joomla and Blogumus
>> (http://websecurity.com.ua/3843/) for Blogger. Taking into account
>> prevalence of this flash file, I'll note that it's most widespread flash
>> file in Internet with XSS vulnerability.
>>
>> -------------------------------------
>> Prevalence of the problem.
>> -------------------------------------
>>
>> There are a lot of vulnerable tagcloud.swf files in Internet (according to
>> Google):
>>
>> http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf
>>
>> If at 18.12.2009 there were about 34000000 results, then now there are
>> about
>> 32500000 results. And these are only those flash files, which were indexed
>> by Google, and actually there can be much more of them.
>>
>> So there are about 32,5 millions of sites with file tagcloud.swf which are
>> vulnerable to XSS and HTML Injection attacks.
>>
>> Among them there are about 273000 gov-sites
>>
>> (http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf+inurl:gov&filter=0)
>> which are vulnerable to XSS and HTML Injection attacks.
>>
>> ----------------------------------
>> Vulnerabilities in swf-file.
>> ----------------------------------
>>
>> File tagcloud.swf is vulnerable to XSS and HTML Injection attacks via
>> parameter tagcloud.
>>
>> XSS:
>>
>>
>> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>>
>> Code will execute after click. It's strictly social XSS.
>>
>> HTML Injection:
>>
>>
>> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>>
>> HTML Injection attack can be conducted particularly on those flash files
>> which have protection (in flash files or via WAF) against javascript and
>> vbscript URI in parameter tagcloud.
>>
>> ----------------------------------------
>> Examples of vulnerable sites.
>> ----------------------------------------
>>
>> I gave examples of vulnerable sites with this swf-file in post XSS
>> vulnerabilities in tagcloud.swf at gov and gov.ua
>> (http://websecurity.com.ua/3835/).
>>
>> So for flash developers it's better to attend to security of their flash
>> files. And for owners of sites with vulnerable flashes (particularly
>> tagcloud.swf) it's needed either to fix them by themselves, or to turn to
>> their developers.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/