Date: Sun, 31 Mar 2013 23:50:18 +0300 From: "MustLive" <mustlive@...security.com.ua> To: "Kurt Seifried" <kseifried@...hat.com> Cc: <henri@...v.fi>, <full-disclosure@...ts.grok.org.uk>, <oss-security@...ts.openwall.com> Subject: Re: [Full-disclosure] XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf Hello Kurt! Yes, I've used CVE-2013-1808 in my next letter in March concerning ZeroClipboard (http://seclists.org/fulldisclosure/2013/Mar/207). The are two moments: 1. This is not one issue. But two issues, so it's up to MITRE to put both into one CVE id or use two different ids. There are two XSS holes, as I've wrote in my first advisory about XSS vulnerabilities in ZeroClipboard (http://securityvulns.ru/docs29105.html). First one via id parameter and second via copying payload into clipboard, which I've described in my 2011 article "Attacks via clipboard", where I wrote about different attacks via clipboard (XSS and others) and mentioned about ZeroClipboard. 2. The number of affected. > it appears to affect quite a few things I don't agree with you, that it's just few things. In my first advisory I've wrote about google dorks, which allowed to find almost 1 hundred thousands web sites with any of two swf-files. And besides these dorks in February I've crated other dorks, which showed few hundreds of vulnerable sites. And from them it's possible to see that there can be hundreds of web applications. So both amounts of affected webapps and especially affected web sites are sufficient. As it can be seen from my next two advisories in February with lists of affected web applications with ZeroClipboard.swf and ZeroClipboard10.swf. In March I've made two new advisories on this topic and Henri Salo published his list of vulnerable webapps with ZeroClipboard, so there are a lot of such web applications. > So did you report this vulnerability to those projects? Even to security@ > or similar address? To Henri. The first I've informed developers (old and new ones) about these issues. Even new developers already fixed them in 2012 according to changelog. And forced old developer to remove vulnerable swf-files from his site. Also I forced all developers to prevent spreading of old vulnerable swf-files and to make such a fix to all those multiple web applications, which are using ZeroClipboard but are bundling with swf, just with a reference to old repository with vulnerable swf. As I've wrote earlier (http://seclists.org/fulldisclosure/2013/Mar/207). But yes, I've informed a lot of developer about these issues, after I've published my first advisory in February. Such as developers YAML, Multiproject for Trac, UserCollections for Piwigo, TAO, TableTools for DataTables for jQuery, em-shorty, RepRapCalculator, Fulcrum, Django, aCMS and zClip. Via official contacts at their sites, so they for sure received my letters. But nobody answered (it looked like they don't care about security of their software). Except one developer - it's developer of TableTools. At 4th of March he answered me, that he already fixed that hole. Before my informing, they were informed by Hip (those who found this XSS hole in swf in WP-Table-Reloaded, as I mentioned in my first advisory) and fixed XSS hole yet already at 01.02.2013. In version TableTools 2.1.5. Note, that they fixed just one XSS hole (as developers of WP-Table-Reloaded, as of TableTools, which Hip told them about), but there is second XSS, as I've wrote earlier. So I've told TableTools developers that they are still vulnerable to second XSS. In beginning of March, when I looked in repository of TableTools, I've found another version of swf - ZeroClipboardPdf.swf. So we have not only ZeroClipboard.swf, but also ZeroClipboardPdf.swf vulnerable to two XSS holes in versions prior to 2.1.5, and vulnerable to one XSS since 2.1.5. Just in last versions developers are not bundling swf-files, but only sources (*.as), so users need to compile as into swf by themselves. I've not found web sites with ZeroClipboardPdf.swf in Google's index (only sites with as-files), so for now only vulnerable sites with TableTools for DataTables with ZeroClipboard.swf can be found. > Did you ask CVE identifiers? You've asked me concerning CVE already three years ago and I've wrote you my opinion about it. You should remember what I've asked earlier (read my letters from 09.03.2010 and 07.04.2010). I'm not dealing with CVE (as they were not serious long time ago and nothing changed). So I can recommend to use the next identifier: SecurityVulns ID: 12910. If you want CVE id, then you create it by yourself (as you did) - for this reason I'm publishing to security mailing lists. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Kurt Seifried" <kseifried@...hat.com> To: "Henri Salo" <henri@...v.fi> Cc: "MustLive" <mustlive@...security.com.ua>; <full-disclosure@...ts.grok.org.uk>; <jon@...rohan.me>; <oss-security@...ts.openwall.com> Sent: Sunday, March 03, 2013 5:45 AM Subject: Re: [Full-disclosure] XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/02/2013 10:17 AM, Henri Salo wrote: >> On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote: >>> I'm resending my letter from February 23, 2013 (since FD was not >>> working that day). >>> >>> After my previous list of vulnerable software with >>> ZeroClipboard.swf, here is a list of software with >>> ZeroClipboard10.swf. These are Cross-Site Scripting >>> vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django >>> and aCMS. >>> >>> Earlier I've wrote about Cross-Site Scripting vulnerabilities in >>> ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). >>> I wrote that this is very widespread flash-file and it's placed >>> at tens of thousands of web sites. And it's used in hundreds of >>> web applications. Among them are em-shorty, RepRapCalculator, >>> Fulcrum (CMS), Django and aCMS. And there are many other >>> vulnerable web applications with ZeroClipboard10.swf (some of >>> them also contain ZeroClipboard.swf). >> >> So did you report this vulnerability to those projects? Even to >> security@ or similar address? I noticed this vulnerability from >> WordPress plugins. Did you report those? Did you ask CVE >> identifiers? > > Please use CVE-2013-1808 for this issue. Added the author to the CC so > he's aware of it. Also thanks to Henri Salo who has taken on > coordinating this issue (it appears to affect quite a few things). > >> -- Henri Salo > > > > - -- > Kurt Seifried Red Hat Security Response Team (SRT) > PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > > iQIcBAEBAgAGBQJRMrlPAAoJEBYNRVNeJnmTdIcP/jCg7dnLg39HSNiFCpSUtp4m > I5kvJqyCcIEfVH7E6buHjN81tD8j4HTQBm89lxwD5E+Ukk0vwLrJ8hekEn10hY6A > Mhr1oaxM6RlRLYEkNLt9njnd1iyLW5Vt47SCuqv5p0EmFZ7Uy/2fdZMziIAUEuIM > kh2Si3097ntuZL+HagF6SQziiVIBIpLVI5qwCi4aULix949rVIHUhOFgP1AMTMKp > b64nSCGkxxd/hZ1j8qOTt/zSdkMwmRyIteP5UcJ2C8opRPU8TKR780kq7PyAPZhi > ZYPUhztgEnTKVbvtv8eZ5aS4IjVGZGNC4yF5+GOtCMs6OCToMW7WZ5STbCK1uR1n > 1ArPFBYg4kK+ul33NYlUOJcdXbGoQE/ImIjh+jmzI4NjREwGGbBawICl3Q1GFvLd > +tBrKY8C4q9LDQzIR0ctkywkLi/6t95ds5iRzZhBL2V+4EjjmWDoo8Zyx+gQuQ4A > BTWsV5IdT9DIarIw7lW09DU2pGjkFm/y8mNBde2a5ZnSqZIsTBwCu2M2NhyfQ8vi > MQI4M/aGB8pG/DeGmaYNmQkYk4a/Hb8tyApSWLsVmrDQgpEpQ9Y9rrbuM+K6GspA > 1MC2/bCZGYf3GM0EApGJY64UCE9s0qzGs0Sy3g5cUNFUsoDRrKPdxnkiA8rk1yY9 > eMC+bdCYgeHd/CZwsMYp > =oHXG > -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.