AOH :: HP Unsorted W :: B1A-1089.HTM

widget Flash Tag Cloud for Blogsa and other ASP.NET engines Vulnerability



Vulnerability in widget Flash Tag Cloud for Blogsa and other ASP.NET engines
Vulnerability in widget Flash Tag Cloud for Blogsa and other ASP.NET engines



Hello Bugtraq!

I want to warn you about security vulnerability in Flash Tag Cloud control
for ASP.NET.

-----------------------------
Advisory: Vulnerability in widget Flash Tag Cloud for Blogsa and other
ASP.NET engines
-----------------------------
URL: http://websecurity.com.ua/4213/ 
-----------------------------
Affected products: all versions of Flash Tag Cloud control for ASP.NET, all
versions of Flash Tag Cloud for Blogsa and other ASP.NET engines.
-----------------------------
Timeline:

10.05.2010 - found vulnerability.
19.05.2010 - disclosed at my site.
20.05.2010 - informed developers.
-----------------------------
Details:

This is Cross-Site Scripting vulnerability. Which I found in Flash Tag Cloud
control for ASP.NET (http://flashtagcloud.codeplex.com) on web sites with 
Blogsa engine, but any ASP-sites with Flash Tag Cloud control and other
ASP.NET engines with this widget can be vulnerable.

This XSS is similar to XSS vulnerability in WP-Cumulus and other web
applications which I already reported to security mailing lists, because
it's using tagcloud.swf made by author of WP-Cumulus. About millions of
flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned in
my article XSS vulnerabilities in 34 millions flash files
(http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00035.html). 

XSS:

http://site/Widgets/FlashTagCloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E 

Code will execute after click. It's strictly social XSS.

Also it's possible to conduct (like in WP-Cumulus) HTML Injection attack,
including in those flash files which have protection (in flash files or via
WAF) against javascript and vbscript URI in parameter tagcloud.

HTML Injection:

http://site/Widgets/FlashTagCloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E 

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.