============================================================
Link Farm Evolution 1.8.7 Cross Site Scripting Vulnerability
============================================================

Description: Link Farm evolution is a wordpress premium plugin used to
build backlinks.
Version  : 1.0
Severity : Low to Moderate

Authors  : Prakhar Prasad http://www.prakharprasad.com
           Rafay Baloch http://www.rafayhackingarticles.net
Vendor   : LinkFarmEvolution - http://linkfarmevolution.com/

Details:

The vulnerability exists inside the zeroclipboard.swf. Multiplle calls are
made to Externalinterface.call, The id parameter is an input parameter
which is passed to
the Externalinterface.call function wtihout being properly sanitised, hence
allowing us to execute javascript.



Vulnerable Code:

button.addEventListener(MouseEvent.MOUSE_OVER, function(event:Event) {
  ExternalInterface.call( 'ZeroClipboard.dispatch', id, 'mouseOver', null );
} );
button.addEventListener(MouseEvent.MOUSE_OUT, function(event:Event) {
ExternalInterface.call( 'ZeroClipboard.dispatch', id, 'mouseOut', null );
} );
button.addEventListener(MouseEvent.MOUSE_DOWN, function(event:Event) {
ExternalInterface.call( 'ZeroClipboard.dispatch', id, 'mouseDown', null );
} );
button.addEventListener(MouseEvent.MOUSE_UP, function(event:Event) {
ExternalInterface.call( 'ZeroClipboard.dispatch', id, 'mouseUp', null );
} );



Proof-of-Concept:

Multiplle calls are made to Externalinterface.call, The id parameter is an
input parameter which is passed to
the Externalinterface.call function wtihout being properly sanitised, hence
allowing us to execute javascript.

POC:

localhost/Link Farm Evolution 1.85/js/ZeroClipboard.swf#id=

Solution:

Any input passed through externalinterface.call function should be
escaped/sanitised.