Vigil@nce - Dotclear, TYPO3, SPIP: Cross Site Scripting in the embedded application swfupload.swf
November 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
In a web site managed with Dotclear, TYPO3 or SPIP, an attacker
can use swfupload.swf to trigger a Cross Site Scripting, in order
to execute JavaScript code within the Web site context.
– Impacted products: Dotclear, SPIP, TYPO3
– Severity: 2/4
– Creation date: 14/11/2012
– Revision date: 26/11/2012
DESCRIPTION OF THE VULNERABILITY
The blog manager Dotclear and several applications that runs over
TYPO3 or SPIP include the Flash application swfupload.swf, to
upload files to the server.
The form parameter movieName is used to identify an application
instance in the HTML page. However, the application does not check
the parameter value before displaying it in the HTML page. An
attacker can thus insert JavaScript code in this parameter, which
is executed in the victim’s Web browser.
In a web site managed with Dotclear, Typo3 or SPIP, an attacker
can therefore use swfupload.swf to trigger a Cross Site Scripting,
in order to execute JavaScript code within the Web site context.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN