OpenVBX - CSRF / XSS / Object Injection

Vulnerable Product(s): OpenVBX
Affected Version(s): OpenVBX 1.2.13
Vulnerability Typus: CSRF / XSS / Object Injection

OpenVBX is a web-based open source phone system for business. "OpenVBX" and "Twilio" are trademarks of Twilio, Inc., all rights reserved. If you want to say something
like "Powered by Twilio" or "Powered by OpenVBX" we'd be honored. If you want to redistribute OpenVBX or the
iPhone app, you must come up with your own product name. Use of the Twilio trademarks in your product name
requires Twilio's written permission.

Technical Details:
The vulnerability is caused due to insufficient input validation in the parameter
“movieName” and "buttonText" in the script to swfupload.swf (CVE-2012-3414) “ ()”. This can be
exploited to execute arbitrary HTML and script code in a user’s browser session in
context of an affected site. Vulnerability CSRF in Plupload (CVE-2012-3415). The Plupload applet called
Security.allowDomain('*') to allow the applet to be used from any domain (so it could be served from S3, for instance).
That meant people could interact with the Plupload applet from any other site on the Internet by embedding it on a page
and using JavaScript. But due to the way the same-origin policy works in Flash, the applet could still make requests back
to the domain on which it was hosted. In addition, people can specify the full URL for an upload request via JavaScript
and the result of that request (ie: the HTML of the resulting page) is passed back via JavaScript to the embedding page.

PoC / Exploitcode:
// Get the movie name
this.movieName = root.loaderInfo.parameters.movieName;

// **Configure the callbacks**
// The JavaScript tracks all the instances of SWFUpload on a page.  We can access the instance
// associated with this SWF file using the movieName.  Each callback is accessible by making
// a call directly to it on our instance.  There is no error handling for undefined callback functions.
// A developer would have to deliberately remove the default functions,set the variable to null, or remove
// it from the init function.
this.flashReady_Callback         = "SWFUpload.instances[\"" + this.movieName + "\"].flashReady";
this.fileDialogStart_Callback    = "SWFUpload.instances[\"" + this.movieName + "\"].fileDialogStart";
this.fileQueued_Callback         = "SWFUpload.instances[\"" + this.movieName + "\"].fileQueued";
this.fileQueueError_Callback     = "SWFUpload.instances[\"" + this.movieName + "\"].fileQueueError";
this.fileDialogComplete_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileDialogComplete";

this.uploadStart_Callback        = "SWFUpload.instances[\"" + this.movieName + "\"].uploadStart";
this.uploadProgress_Callback     = "SWFUpload.instances[\"" + this.movieName + "\"].uploadProgress";
this.uploadError_Callback        = "SWFUpload.instances[\"" + this.movieName + "\"].uploadError";
this.uploadSuccess_Callback      = "SWFUpload.instances[\"" + this.movieName + "\"].uploadSuccess";

this.uploadComplete_Callback     = "SWFUpload.instances[\"" + this.movieName + "\"].uploadComplete";

this.debug_Callback              = "SWFUpload.instances[\"" + this.movieName + "\"].debug";

this.testExternalInterface_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].testExternalInterface";
this.cleanUp_Callback            = "SWFUpload.instances[\"" + this.movieName + "\"].cleanUp";
this.buttonAction_Callback       = "SWFUpload.instances[\"" + this.movieName + "\"].buttonAction";

hxxp://<img src=''>

Author/Group: Fahmi Fisal

Fix or Patch: On the server side, you can upgrade SWFUpload to a non-vulnerable version.

Postingan terkait:

Belum ada tanggapan untuk "OpenVBX - CSRF / XSS / Object Injection"

Post a Comment