Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 31 Mar 2013 23:50:18 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "Kurt Seifried" <kseifried@...hat.com>
Cc: <henri@...v.fi>,
	<full-disclosure@...ts.grok.org.uk>,
	<oss-security@...ts.openwall.com>
Subject: Re: [Full-disclosure] XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf

Hello Kurt!

Yes, I've used CVE-2013-1808 in my next letter in March concerning
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Mar/207).

The are two moments:

1. This is not one issue. But two issues, so it's up to MITRE to put both
into one CVE id or use two different ids.

There are two XSS holes, as I've wrote in my first advisory about XSS
vulnerabilities in ZeroClipboard (http://securityvulns.ru/docs29105.html).
First one via id parameter and second via copying payload into clipboard,
which I've described in my 2011 article "Attacks via clipboard", where I
wrote about different attacks via clipboard (XSS and others) and mentioned
about ZeroClipboard.

2. The number of affected.

> it appears to affect quite a few things

I don't agree with you, that it's just few things. In my first advisory I've
wrote about google dorks, which allowed to find almost 1 hundred thousands
web sites with any of two swf-files. And besides these dorks in February
I've crated other dorks, which showed few hundreds of vulnerable sites. And
from them it's possible to see that there can be hundreds of web
applications. So both amounts of affected webapps and especially affected
web sites are sufficient.

As it can be seen from my next two advisories in February with lists of
affected web applications with ZeroClipboard.swf and ZeroClipboard10.swf. In
March I've made two new advisories on this topic and Henri Salo published
his list of vulnerable webapps with ZeroClipboard, so there are a lot of
such web applications.

> So did you report this vulnerability to those projects? Even to security@
> or similar address?

To Henri.

The first I've informed developers (old and new ones) about these issues.
Even new developers already fixed them in 2012 according to changelog. And
forced old developer to remove vulnerable swf-files from his site.

Also I forced all developers to prevent spreading of old vulnerable
swf-files and to make such a fix to all those multiple web applications,
which are using ZeroClipboard but are bundling with swf, just with a
reference to old repository with vulnerable swf. As I've wrote earlier
(http://seclists.org/fulldisclosure/2013/Mar/207).

But yes, I've informed a lot of developer about these issues, after I've
published my first advisory in February. Such as developers YAML,
Multiproject for Trac, UserCollections for Piwigo, TAO, TableTools for
DataTables for jQuery, em-shorty, RepRapCalculator, Fulcrum, Django, aCMS
and zClip. Via official contacts at their sites, so they for sure received
my letters.

But nobody answered (it looked like they don't care about security of their
software). Except one developer - it's developer of TableTools. At 4th of
March he answered me, that he already fixed that hole. Before my informing,
they were informed by Hip (those who found this XSS hole in swf in
WP-Table-Reloaded, as I mentioned in my first advisory) and fixed XSS hole
yet already at 01.02.2013. In version TableTools 2.1.5.

Note, that they fixed just one XSS hole (as developers of WP-Table-Reloaded,
as of TableTools, which Hip told them about), but there is second XSS, as
I've wrote earlier. So I've told TableTools developers that they are still
vulnerable to second XSS. In beginning of March, when I looked in repository
of TableTools, I've found another version of swf - ZeroClipboardPdf.swf.

So we have not only ZeroClipboard.swf, but also ZeroClipboardPdf.swf
vulnerable to two XSS holes in versions prior to 2.1.5, and vulnerable to
one XSS since 2.1.5. Just in last versions developers are not bundling
swf-files, but only sources (*.as), so users need to compile as into swf by
themselves. I've not found web sites with ZeroClipboardPdf.swf in Google's
index (only sites with as-files), so for now only vulnerable sites with
TableTools for DataTables with ZeroClipboard.swf can be found.

> Did you ask CVE identifiers?

You've asked me concerning CVE already three years ago and I've wrote you my
opinion about it. You should remember what I've asked earlier (read my
letters from 09.03.2010 and 07.04.2010). I'm not dealing with CVE (as they
were not serious long time ago and nothing changed).

So I can recommend to use the next identifier: SecurityVulns ID: 12910. If
you want CVE id, then you create it by yourself (as you did) - for this
reason I'm publishing to security mailing lists.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Kurt Seifried" <kseifried@...hat.com>
To: "Henri Salo" <henri@...v.fi>
Cc: "MustLive" <mustlive@...security.com.ua>;
<full-disclosure@...ts.grok.org.uk>; <jon@...rohan.me>;
<oss-security@...ts.openwall.com>
Sent: Sunday, March 03, 2013 5:45 AM
Subject: Re: [Full-disclosure] XSS vulnerabilities in em-shorty,
RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/02/2013 10:17 AM, Henri Salo wrote:
>> On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote:
>>> I'm resending my letter from February 23, 2013 (since FD was not
>>> working that day).
>>>
>>> After my previous list of vulnerable software with
>>> ZeroClipboard.swf, here is a list of software with
>>> ZeroClipboard10.swf. These are Cross-Site Scripting
>>> vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django
>>> and aCMS.
>>>
>>> Earlier I've wrote about Cross-Site Scripting vulnerabilities in
>>> ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103).
>>> I wrote that this is very widespread flash-file and it's placed
>>> at tens of thousands of web sites. And it's used in hundreds of
>>> web applications. Among them are em-shorty, RepRapCalculator,
>>> Fulcrum (CMS), Django and aCMS. And there are many other
>>> vulnerable web applications with ZeroClipboard10.swf (some of
>>> them also contain ZeroClipboard.swf).
>>
>> So did you report this vulnerability to those projects? Even to
>> security@ or similar address? I noticed this vulnerability from
>> WordPress plugins. Did you report those? Did you ask CVE
>> identifiers?
>
> Please use CVE-2013-1808 for this issue. Added the author to the CC so
> he's aware of it. Also thanks to Henri Salo who has taken on
> coordinating this issue (it appears to affect quite a few things).
>
>> -- Henri Salo
>
>
>
> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJRMrlPAAoJEBYNRVNeJnmTdIcP/jCg7dnLg39HSNiFCpSUtp4m
> I5kvJqyCcIEfVH7E6buHjN81tD8j4HTQBm89lxwD5E+Ukk0vwLrJ8hekEn10hY6A
> Mhr1oaxM6RlRLYEkNLt9njnd1iyLW5Vt47SCuqv5p0EmFZ7Uy/2fdZMziIAUEuIM
> kh2Si3097ntuZL+HagF6SQziiVIBIpLVI5qwCi4aULix949rVIHUhOFgP1AMTMKp
> b64nSCGkxxd/hZ1j8qOTt/zSdkMwmRyIteP5UcJ2C8opRPU8TKR780kq7PyAPZhi
> ZYPUhztgEnTKVbvtv8eZ5aS4IjVGZGNC4yF5+GOtCMs6OCToMW7WZ5STbCK1uR1n
> 1ArPFBYg4kK+ul33NYlUOJcdXbGoQE/ImIjh+jmzI4NjREwGGbBawICl3Q1GFvLd
> +tBrKY8C4q9LDQzIR0ctkywkLi/6t95ds5iRzZhBL2V+4EjjmWDoo8Zyx+gQuQ4A
> BTWsV5IdT9DIarIw7lW09DU2pGjkFm/y8mNBde2a5ZnSqZIsTBwCu2M2NhyfQ8vi
> MQI4M/aGB8pG/DeGmaYNmQkYk4a/Hb8tyApSWLsVmrDQgpEpQ9Y9rrbuM+K6GspA
> 1MC2/bCZGYf3GM0EApGJY64UCE9s0qzGs0Sy3g5cUNFUsoDRrKPdxnkiA8rk1yY9
> eMC+bdCYgeHd/CZwsMYp
> =oHXG
> -----END PGP SIGNATURE----- 


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.