full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] XSS vulnerabilities in

Re: [Full-disclosure] XSS vulnerabilities in 34 millions flash files

From: Michele Orru <antisnatchor_at_nospam>
Date: Tue Jan 12 2010 - 20:40:58 GMT
To: Jeff Williams <jeffwillis30@gmail.com>


@Jeff
Of course they like XSS: the DB maintained by muts et al. is the "prosecution" of milw0rm, since
str0ke gives up to mantain it.

I remember that str0ke didn't allowed to publish advisories ONLY RELATED to xss (especially reflected ones, as they are so common), but by the way I think is OK to publish there even the most simple reflected XSS, especially if is afflicting world used web-based products.

@MustLive
I see that people doesn't like your posts here on bugtraq: just try to be more clear on your posts.
XSS vulnerabilities in FLASH files have been researched from many years, and with a tool like
SWFintruder is so easy to find them: your post is not something new. Is enough to take the Flash files you mentioned (used by joomal or whatever), find the XSS, and then make a google search to see how many sites are using
the vulnerable swf.

Interesting to know how many are vulnerable, but absolutely NOT SOMETHING NEW.

Cheers

Michele "antisnatchor" Orru'
http://antisnatchor.com

On Tue, Jan 12, 2010 at 12:44 AM, Jeff Williams <jeffwillis30@gmail.com> wrote:
> Yo MustDie,
>
> Post your shit here:
> http://www.exploit-db.com/
> They love XSS.
>
>
>
> 2010/1/11 MustLive <mustlive@websecurity.com.ua>
>>
>> Hello Full-Disclosure!
>>
>> Yesterday I wrote the article XSS vulnerabilities in 34 millions flash
>> files
>> (http://websecurity.com.ua/3842/), and here is English version of it.
>>
>> In December in my article XSS vulnerabilities in 8 millions flash files
>> (http://websecurity.com.ua/3789/) I wrote, that there are up to 34000000
>> of flashes tagcloud.swf in Internet which are potentially vulnerable to
>> XSS
>> attacks. Taking into account that people mostly didn't draw attention in
>> previous article to my mentioning about another 34 millions of vulnerable
>> flashes, then I decided to write another article about it.
>>
>> File tagcloud.swf was developed by author of plugin WP-Cumulus for
>> WordPress
>> (http://websecurity.com.ua/3665/) and it's delivered with this plugin for
>> WordPress, and also with other plugins, particularly Joomulus
>> (http://websecurity.com.ua/3801/) and JVClouds3D
>> (http://websecurity.com.ua/3839/) for Joomla and Blogumus
>> (http://websecurity.com.ua/3843/) for Blogger. Taking into account
>> prevalence of this flash file, I'll note that it's most widespread flash
>> file in Internet with XSS vulnerability.
>>
>> -------------------------------------
>> Prevalence of the problem.
>> -------------------------------------
>>
>> There are a lot of vulnerable tagcloud.swf files in Internet (according to
>> Google):
>>
>> http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf
>>
>> If at 18.12.2009 there were about 34000000 results, then now there are
>> about
>> 32500000 results. And these are only those flash files, which were indexed
>> by Google, and actually there can be much more of them.
>>
>> So there are about 32,5 millions of sites with file tagcloud.swf which are
>> vulnerable to XSS and HTML Injection attacks.
>>
>> Among them there are about 273000 gov-sites
>>
>> (http://www.google.com.ua/search?q=filetype:swf+inurl:tagcloud.swf+inurl:gov&filter=0)
>> which are vulnerable to XSS and HTML Injection attacks.
>>
>> ----------------------------------
>> Vulnerabilities in swf-file.
>> ----------------------------------
>>
>> File tagcloud.swf is vulnerable to XSS and HTML Injection attacks via
>> parameter tagcloud.
>>
>> XSS:
>>
>>
>> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>>
>> Code will execute after click. It's strictly social XSS.
>>
>> HTML Injection:
>>
>>
>> http://site/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
>>
>> HTML Injection attack can be conducted particularly on those flash files
>> which have protection (in flash files or via WAF) against javascript and
>> vbscript URI in parameter tagcloud.
>>
>> ----------------------------------------
>> Examples of vulnerable sites.
>> ----------------------------------------
>>
>> I gave examples of vulnerable sites with this swf-file in post XSS
>> vulnerabilities in tagcloud.swf at gov and gov.ua
>> (http://websecurity.com.ua/3835/).
>>
>> So for flash developers it's better to attend to security of their flash
>> files. And for owners of sites with vulnerable flashes (particularly
>> tagcloud.swf) it's needed either to fix them by themselves, or to turn to
>> their developers.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/