[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf

Hello Kurt!

Yes, I've used CVE-2013-1808 in my next letter in March concerning
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Mar/207).

The are two moments:

1. This is not one issue. But two issues, so it's up to MITRE to put both
into one CVE id or use two different ids.

There are two XSS holes, as I've wrote in my first advisory about XSS
vulnerabilities in ZeroClipboard (http://securityvulns.ru/docs29105.html).
First one via id parameter and second via copying payload into clipboard,
which I've described in my 2011 article "Attacks via clipboard", where I
wrote about different attacks via clipboard (XSS and others) and mentioned
about ZeroClipboard.

2. The number of affected.


it appears to affect quite a few things


I don't agree with you, that it's just few things. In my first advisory I've
wrote about google dorks, which allowed to find almost 1 hundred thousands
web sites with any of two swf-files. And besides these dorks in February
I've crated other dorks, which showed few hundreds of vulnerable sites. And
from them it's possible to see that there can be hundreds of web
applications. So both amounts of affected webapps and especially affected
web sites are sufficient.

As it can be seen from my next two advisories in February with lists of
affected web applications with ZeroClipboard.swf and ZeroClipboard10.swf. In
March I've made two new advisories on this topic and Henri Salo published
his list of vulnerable webapps with ZeroClipboard, so there are a lot of
such web applications.


So did you report this vulnerability to those projects? Even to security@
or similar address?


To Henri.

The first I've informed developers (old and new ones) about these issues.
Even new developers already fixed them in 2012 according to changelog. And
forced old developer to remove vulnerable swf-files from his site.

Also I forced all developers to prevent spreading of old vulnerable
swf-files and to make such a fix to all those multiple web applications,
which are using ZeroClipboard but are bundling with swf, just with a
reference to old repository with vulnerable swf. As I've wrote earlier
(http://seclists.org/fulldisclosure/2013/Mar/207).

But yes, I've informed a lot of developer about these issues, after I've
published my first advisory in February. Such as developers YAML,
Multiproject for Trac, UserCollections for Piwigo, TAO, TableTools for
DataTables for jQuery, em-shorty, RepRapCalculator, Fulcrum, Django, aCMS
and zClip. Via official contacts at their sites, so they for sure received
my letters.

But nobody answered (it looked like they don't care about security of their
software). Except one developer - it's developer of TableTools. At 4th of
March he answered me, that he already fixed that hole. Before my informing,
they were informed by Hip (those who found this XSS hole in swf in
WP-Table-Reloaded, as I mentioned in my first advisory) and fixed XSS hole
yet already at 01.02.2013. In version TableTools 2.1.5.

Note, that they fixed just one XSS hole (as developers of WP-Table-Reloaded,
as of TableTools, which Hip told them about), but there is second XSS, as
I've wrote earlier. So I've told TableTools developers that they are still
vulnerable to second XSS. In beginning of March, when I looked in repository
of TableTools, I've found another version of swf - ZeroClipboardPdf.swf.

So we have not only ZeroClipboard.swf, but also ZeroClipboardPdf.swf
vulnerable to two XSS holes in versions prior to 2.1.5, and vulnerable to
one XSS since 2.1.5. Just in last versions developers are not bundling
swf-files, but only sources (*.as), so users need to compile as into swf by
themselves. I've not found web sites with ZeroClipboardPdf.swf in Google's
index (only sites with as-files), so for now only vulnerable sites with
TableTools for DataTables with ZeroClipboard.swf can be found.


Did you ask CVE identifiers?


You've asked me concerning CVE already three years ago and I've wrote you my
opinion about it. You should remember what I've asked earlier (read my
letters from 09.03.2010 and 07.04.2010). I'm not dealing with CVE (as they
were not serious long time ago and nothing changed).

So I can recommend to use the next identifier: SecurityVulns ID: 12910. If
you want CVE id, then you create it by yourself (as you did) - for this
reason I'm publishing to security mailing lists.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message ----- From: "Kurt Seifried" <kseifried@xxxxxxxxxx> 
To: "Henri Salo" <henri@xxxxxxx>
Cc: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>;
<full-disclosure@xxxxxxxxxxxxxxxxx>; <jon@xxxxxxxxxxx>;
<oss-security@xxxxxxxxxxxxxxxxxx>
Sent: Sunday, March 03, 2013 5:45 AM
Subject: Re: [Full-disclosure] XSS vulnerabilities in em-shorty,
RepRapCalculator, Fulcrum, Django and aCMS - ZeroClipboard.swf



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/02/2013 10:17 AM, Henri Salo wrote:

On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote:

I'm resending my letter from February 23, 2013 (since FD was not
working that day).

After my previous list of vulnerable software with
ZeroClipboard.swf, here is a list of software with
ZeroClipboard10.swf. These are Cross-Site Scripting
vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django
and aCMS.

Earlier I've wrote about Cross-Site Scripting vulnerabilities in
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103).
I wrote that this is very widespread flash-file and it's placed
at tens of thousands of web sites. And it's used in hundreds of
web applications. Among them are em-shorty, RepRapCalculator,
Fulcrum (CMS), Django and aCMS. And there are many other
vulnerable web applications with ZeroClipboard10.swf (some of
them also contain ZeroClipboard.swf).


So did you report this vulnerability to those projects? Even to
security@ or similar address? I noticed this vulnerability from
WordPress plugins. Did you report those? Did you ask CVE
identifiers?


Please use CVE-2013-1808 for this issue. Added the author to the CC so
he's aware of it. Also thanks to Henri Salo who has taken on
coordinating this issue (it appears to affect quite a few things).


-- Henri Salo
- -- Kurt Seifried Red Hat Security Response Team (SRT) 
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMrlPAAoJEBYNRVNeJnmTdIcP/jCg7dnLg39HSNiFCpSUtp4m
I5kvJqyCcIEfVH7E6buHjN81tD8j4HTQBm89lxwD5E+Ukk0vwLrJ8hekEn10hY6A
Mhr1oaxM6RlRLYEkNLt9njnd1iyLW5Vt47SCuqv5p0EmFZ7Uy/2fdZMziIAUEuIM
kh2Si3097ntuZL+HagF6SQziiVIBIpLVI5qwCi4aULix949rVIHUhOFgP1AMTMKp
b64nSCGkxxd/hZ1j8qOTt/zSdkMwmRyIteP5UcJ2C8opRPU8TKR780kq7PyAPZhi
ZYPUhztgEnTKVbvtv8eZ5aS4IjVGZGNC4yF5+GOtCMs6OCToMW7WZ5STbCK1uR1n
1ArPFBYg4kK+ul33NYlUOJcdXbGoQE/ImIjh+jmzI4NjREwGGbBawICl3Q1GFvLd
+tBrKY8C4q9LDQzIR0ctkywkLi/6t95ds5iRzZhBL2V+4EjjmWDoo8Zyx+gQuQ4A
BTWsV5IdT9DIarIw7lW09DU2pGjkFm/y8mNBde2a5ZnSqZIsTBwCu2M2NhyfQ8vi
MQI4M/aGB8pG/DeGmaYNmQkYk4a/Hb8tyApSWLsVmrDQgpEpQ9Y9rrbuM+K6GspA
1MC2/bCZGYf3GM0EApGJY64UCE9s0qzGs0Sy3g5cUNFUsoDRrKPdxnkiA8rk1yY9
eMC+bdCYgeHd/CZwsMYp
=oHXG
-----END PGP SIGNATURE----- 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/