[FD] Cross Site Scripting (XSS) 0day in SimpleViewer all versions

######################################################################################################## Cross Site Scripting (XSS) & Content spoofing in SimpleViewer all versions via remote xml payload [2015] ######################################################################################################## $$$$$$ $$ $$ $$ $$ $$ $$ __$$ __| $$ | $$ | $$ |__| $$ / __|$$ $$$$$$$$$$ $$$$$$ $$ | $$$$$$ $$ | $$ |$$ $$$$$$ $$ $$ $$ $$$$$$ $$$$$$ $$$$$$ $$ |$$ _$$ _$$ $$ __$$ $$ |$$ __$$\$$ $$ |$$ |$$ __$$ $$ | $$ | $$ |$$ __$$ $$ __$$ ____$$ $$ |$$ / $$ / $$ |$$ / $$ |$$ |$$$$$$$$ |$$$$ / $$ |$$$$$$$$ |$$ | $$ | $$ |$$$$$$$$ |$$ | __| $$ $$ |$$ |$$ | $$ | $$ |$$ | $$ |$$ |$$ ____| $$$ / $$ |$$ ____|$$ | $$ | $$ |$$ ____|$$ | $$$$$$ |$$ |$$ | $$ | $$ |$$$$$$$ |$$ |$$$$$$$ $ / $$ |$$$$$$$ $$$$$$$$$ |$$$$$$$ $$ | ______/ __|__| __| __|$$ ____/ __| _______| _/ __| _______| _________/ _______|__| $$ | $$ | __| ######################################################################################################## EAT, SLEEP, HACK, REPEAT, EAT, SLEEP, HACK, REPEAT, EAT, SLEEP, HACK, REPEAT, EAT, SLEEP, HACK, REPEAT ######################################################################################################## Vendor: http://ift.tt/1PNEhan Vulnerable application: simpleviewr.swf Vulnerability: Execution of javascript and content spoofing Version: All versions seem vulnerable with modified payloads Dork: filetype:swf intext:SimpleViewer Credits: @APT1337, @kelodymelody SimpleViewer is a free image gallery viewer which comes as a swf flash script which loads a gallery of images from a local gallery.xml file. Simpleviewer is used on hundreds of thousands of web servers by a range of different users from bloggers all the way to government. After receiveing no feed back from the developers of SimpleViewr in regards to this vulnerability and attempting to reach out to numerous effected customers of SimpleViewer again with no feed back I feel the need to disclose this vulnerability in full, publicly so that people can remove SimpleViewr from their websites. I did try to warn you... @NASA, @NYCOURTS, @IEEE, @MIT, @ACM. SimpleViewer is able to load the gallery.xml file in a number of different ways: http://www.example.com/viewer.swf The above example loads gallery.xml locally on the server http://ift.tt/1Xq1rCI The above example loads gallery.xml or another .xml file defined using the xmlDataPath variable http://ift.tt/1PNEhao The above example loads a remote gallery.xml file providing the remote server has a cross-domain policy. This can allow an attacker to include remote malicious xml files in to the SimpleViewer applicaion. SimpleViewer does not check that the gallery.xml file being loaded is stored locally within the same domain or check that the gallery.xml file being loaded is being loaded from a known/safe remote location. SimpleViewer can be forced to load remote malicious galleries providing that the server whith the remote gallery has a cross-domain policy file (crossdomain.xml). This means that an attacker can load a remote malicious xml file in to SimpleViewer which can allow an attacker to both spoof content and execute javascript within the context of the users browser. This can be used by an attacker to trick users in to logging in to a fake login page to steal login information or trick users in to downloading malicious files. Before we can exploit this vulnerability in SimpleViewr we must first create a cross-domain policy file (crossdomain.xml) which allows SimpleViewer to fetch the payload from our server. The crossdomain.xml file would consist of the following code: The above crossdomain.xml file should be placed in the webroot of the remote server where the remote gallery.xml file is located. SimpleViewr allows the user to customize their gallery using a number of different variables which are set within the gallery.xml file. Below is small list of variables that can be used within the gallery.xml file: title - Text to display as gallery title. imagePath - Relative or absolute path to images folder. thumbPath - Relative or absolute path to thumbnail images folder. backgroundImagePath - Relative or absolute path to a JPG or SWF to load as the gallery background. An example of one of these gallery.xml files can be found on simpleviewer.net which is provided as a demo which is located at the following URL: Gallery: http://ift.tt/1Xq1uhK SimpleViewer.]]>

Source: Gmail -> IFTTT-> Blogger