Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Mar 2013 23:51:55 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<full-disclosure@...ts.grok.org.uk>,
	<oss-security@...ts.openwall.com>
Subject: XSS vulnerabilities in ZeroClipboard and multiple web applications

Hello list!

In February I've wrote about Cross-Site Scripting vulnerabilities in 
ZeroClipboard and multiple web applications. This is additional information 
on this topic.

XSS vulnerabilities in ZeroClipboard
http://securityvulns.ru/docs29105.html
XSS vulnerabilities in YAML, Multiproject for Trac, UserCollections for 
Piwigo, TAO and TableTools for DataTables for jQuery
http://securityvulns.ru/docs29104.html
XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS
http://securityvulns.ru/docs29103.html

SecurityVulns ID: 12910
CVE: CVE-2013-1808

During my conversation with old ZeroClipboard developer (Joseph Huckaby) and 
new developers (Jon Rohan and James Greene) last month, I've recommended 
them to prevent downloading of ZeroClipboard's files (swf and sources) from 
repository at Google code. To prevent spreading of vulnerable versions of 
software. After my second letter at 19th of February, Joseph agreed with me 
on this and gave full control for new developers to make necessary changes 
at http://code.google.com/p/zeroclipboard/. About added warnings and 
disallowing of downloads Joseph informed me and later James confirm it too.

But it was not sufficient enough, since I found that it was possible to 
download files directly from repository (and there are many web sites which 
are referencing on these files). So I've suggested Jon and James to 
completely prevent downloading of all vulnerable files from old repository. 
After my letters from 3rd, 16th and 24th of March, they at last did it and 
made complete closure of old repository.

XSS vulnerabilities in zClip and other web applications.

In addition to all those web applications, which I've wrote earlier and 
hundreds of webapps on which I've referenced via google dorks, there are 
tens or hundreds additional vulnerable web applications with ZeroClipboard. 
These are such webapps, which have no swf of ZeroClipboard in their bundles, 
but referencing on it at their sites or in documentation. I have found many 
webapps with such approach (for different flash-files, like all those flash 
video players, about vulnerabilities in which I wrote) for last years and 
wrote about such case. E.g. in 2010 I've wrote about Blogumus - a WP-Cumulus 
fork for Blogger, where there was swf-file at the site, from which users can 
download last version or embed it from that site (like from CDN).

There are such web developers, like developers of zClip and many other web 
applications, which are not bundling vulnerable swf of ZeroClipboard, but 
they referencing to it in old repository and asking all users to manually 
download last version of swf-file from repository (i.e. last vulnerable 
version). I've wrote to zClip developers about it at 6th of March, but they 
just ignored it. So to protect all future users of zClip and any other 
similar software, which are referencing to old repository at Google Code 
(with vulnerable versions of ZeroClipboard), and to force a fix to all such 
software, it was needed to close old repository completely. And today 
ZeroClipboard developers have done it.

XSS (WASC-08):

For zClip the path will be the next. XSS via id parameter and XSS via 
copying payload into clipboard (as described in my first advisory).

http://path/js/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

All versions of zClip are referencing to vulnerable versions of 
ZeroClipboard. So all current users of zClip (including developer of zClip 
at their site) are using vulnerable swf-files and have XSS vulnerabilities 
at their sites. But since today all future users of zClip are protected. 
After I've forced developers of ZeroClipboard, it will prevent spreading of 
vulnerable versions of swf-files and will protect future users of all 
software (like zClip) from downloading vulnerable versions of ZeroClipboard. 
>From now all web developers and users need to download ZeroClipboard only 
from new repository (https://github.com/jonrohan/ZeroClipboard). Everyone 
who is using old versions of ZeroClipboard or software, which are bundled 
with old versions of it, needs to update to the last version 1.1.7 from new 
repository.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.