Hello list!

These are Cross-Site Scripting vulnerabilities in ZeroClipboard.

Last week I've made my research of these vulnerabilities and informed all
developers (previous and current) of ZeroClipboard.

When I've downloaded ZeroClipboard in September 2011, when I was writing my 
article Attacks via clipboard
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html), 
where I wrote about different attacks via clipboard, such as XSS, CAS (which 
leads to DoS or Code Execution), attacks on download managers which monitor 
clipboard (which leads to manual downloading of malware or even Automatic 
File Download), clipboard spamming, clipboard phishing and clipboard 
malwaring, I mentioned about it in the article. That my examples of 
JavaScript code (for IE) or ActionScript code (for all browses) can be used 
for such attacks, or to use ZeroClipboard.

-------------------------
Affected products:
-------------------------

Vulnerable are ZeroClipboard 1.0.7 and previous versions. This is concerning
ZeroClipboard developed by original author (Joseph Huckaby). There are new
versions, developed by new authors (Jon Rohan and James M. Greene), in which
they became fixing these vulnerabilities - one XSS in 1.0.8 and another in
1.1.4 version. The last version ZeroClipboard 1.1.7 is not affected.

Original version by Joseph has two flash-files (ZeroClipboard.swf and
ZeroClipboard10.swf) and newer versions by Jon and James have only one
flash-file (ZeroClipboard.swf).

----------
Details:
----------

In September 2011 I've not made any assessment of ZeroClipboard, so draw
attention only on XSS via copying to buffer (it exists in test.html from
archive of original ZeroClipboard, because flash-application doesn't
sanitize input before copying into buffer, similarly as it can be used for
above-mentioned XSS attacks via pasting). This XSS can be triggered at
testing page, where information about copied text is shown and XSS occurs,
or at pasting into html-forms (as described in my article).

Then hip made his assessment of ZeroClipboard recently
(http://packetstormsecurity.com/files/119968/WordPress-WP-Table-Reloaded-Cross-Site-Scripting.html).
He draw attention only concerning this flash-file in WP-Table-Reloaded
plugin for WordPress, but it's not just part of the plugin, it's third-party
application, which is used in multiple web applications and at multiple
sites (as standalone, as in different webapps). So I'm giving detailed
information about ZeroClipboard.

I suggest instead of hip's payload "a\%22))}catch(e){alert(1)}//" to use my
variant - in this case there will be no cyclings of alertbox.

http://site/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

Cross-Site Scripting (WASC-08):

In WP-Table-Reloaded XSS works just with parameter id (this is modified
version of swf-file, so there are different modification of it). In official
version of ZeroClipboard it'll not work without "&width&height", so it's
needed to set all parameters.

http://site/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

And XSS via copying XSS payload into buffer, described above.

This is very widespread flash-file (both versions), as you can find out via
Google dorks.

inurl:zeroclipboard.swf - about 80500 results
inurl:zeroclipboard10.swf - about 9520 results

Some of these zeroclipboard.swf can be newer versions (with fixed XSS), but
tens of thousands of swf-files (and sites with them) are vulnerable. For
last 14,5 years I saw ZeroClipboard and similar flash-files (for copying
into clipboard) at a lot of web sites. From small sites, till large sites,
such as slideshare.net (this is just one more hole to those multiple holes,
which I've informed them about during last years, and they always don't care
about security of their site - or ignored vulnerabilities, or hiddenly fixed
one hole without any response - typical lame approach, so this hole is going
directly to full disclosure).

http://www.slideshare.net/javascripts/plugins/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua