0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ZeroClipboard XSS vulnerabilities
These are Cross-Site Scripting vulnerabilities in ZeroClipboard. Last week I've made my research of these vulnerabilities and informed all developers (previous and current) of ZeroClipboard. When I've downloaded ZeroClipboard in September 2011, when I was writing my article Attacks via clipboard (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html), where I wrote about different attacks via clipboard, such as XSS, CAS (which leads to DoS or Code Execution), attacks on download managers which monitor clipboard (which leads to manual downloading of malware or even Automatic File Download), clipboard spamming, clipboard phishing and clipboard malwaring, I mentioned about it in the article. That my examples of JavaScript code (for IE) or ActionScript code (for all browses) can be used for such attacks, or to use ZeroClipboard. ------------------------- Affected products: ------------------------- Vulnerable are ZeroClipboard 1.0.7 and previous versions. This is concerning ZeroClipboard developed by original author (Joseph Huckaby). There are new versions, developed by new authors (Jon Rohan and James M. Greene), in which they became fixing these vulnerabilities - one XSS in 1.0.8 and another in 1.1.4 version. The last version ZeroClipboard 1.1.7 is not affected. Original version by Joseph has two flash-files (ZeroClipboard.swf and ZeroClipboard10.swf) and newer versions by Jon and James have only one flash-file (ZeroClipboard.swf). ---------- Details: ---------- In September 2011 I've not made any assessment of ZeroClipboard, so draw attention only on XSS via copying to buffer (it exists in test.html from archive of original ZeroClipboard, because flash-application doesn't sanitize input before copying into buffer, similarly as it can be used for above-mentioned XSS attacks via pasting). This XSS can be triggered at testing page, where information about copied text is shown and XSS occurs, or at pasting into html-forms (as described in my article). Then hip made his assessment of ZeroClipboard recently (http://packetstormsecurity.com/files/119968/WordPress-WP-Table-Reloaded-Cross-Site-Scripting.html). He draw attention only concerning this flash-file in WP-Table-Reloaded plugin for WordPress, but it's not just part of the plugin, it's third-party application, which is used in multiple web applications and at multiple sites (as standalone, as in different webapps). So I'm giving detailed information about ZeroClipboard. I suggest instead of hip's payload "a\%22))}catch(e){alert(1)}//" to use my variant - in this case there will be no cyclings of alertbox. http://site/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// Cross-Site Scripting (WASC-08): In WP-Table-Reloaded XSS works just with parameter id (this is modified version of swf-file, so there are different modification of it). In official version of ZeroClipboard it'll not work without "&width&height", so it's needed to set all parameters. http://site/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height And XSS via copying XSS payload into buffer, described above. This is very widespread flash-file (both versions), as you can find out via Google dorks. inurl:zeroclipboard.swf - about 80500 results inurl:zeroclipboard10.swf - about 9520 results Some of these zeroclipboard.swf can be newer versions (with fixed XSS), but tens of thousands of swf-files (and sites with them) are vulnerable. For last 14,5 years I saw ZeroClipboard and similar flash-files (for copying into clipboard) at a lot of web sites. From small sites, till large sites, such as slideshare.net (this is just one more hole to those multiple holes, which I've informed them about during last years, and they always don't care about security of their site - or ignored vulnerabilities, or hiddenly fixed one hole without any response - typical lame approach, so this hole is going directly to full disclosure). http://www.slideshare.net/javascripts/plugins/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua # 0day.today [2024-12-26] #