ZeroClipboard 1.0.7 Cross Site Scripting ( ZeroClipboard.swf XSS )

ZeroClipboard 1.0.7 Cross Site Scripting ( ZeroClipboard.swf XSS )

These are Cross-Site Scripting vulnerabilities in ZeroClipboard swf file .
Then hip made his assessment of ZeroClipboard recently
He draw attention only concerning this flash-file in WP-Table-Reloaded plugin for WordPress, but it's not just part of the plugin, it's third-party
information about ZeroClipboard.
application, which is used in multiple web applications and at multiple sites (as standalone, as in different webapps). So I'm giving detailed I suggest instead of hip's payload "a\%22))}catch(e){alert(1)}//" to use my
Cross-Site Scripting (WASC-08):
variant - in this case there will be no cyclings of alertbox. http://site/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// In WP-Table-Reloaded XSS works just with parameter id (this is modified
version of swf-file, so there are different modification of it). In official version of ZeroClipboard it'll not work without "&width&height", so it's needed to set all parameters. http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height And XSS via copying XSS payload into buffer, described above.
last 14,5 years I saw ZeroClipboard and similar flash-files (for copying
This is very widespread flash-file (both versions), as you can find out via Google dorks. inurl:zeroclipboard.swf - about 80500 results inurl:zeroclipboard10.swf - about 9520 results Some of these zeroclipboard.swf can be newer versions (with fixed XSS), but tens of thousands of swf-files (and sites with them) are vulnerable. For into clipboard) at a lot of web sites. From small sites, till large sites,\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
such as (this is just one more hole to those multiple holes, which I've informed them about during last years, and they always don't care about security of their site - or ignored vulnerabilities, or hiddenly fixed one hole without any response - typical lame approach, so this hole is going directly to full disclosure).

Post a Comment