[WEB SECURITY] XSS vulnerabilities in 215000 flash files
mustlive at websecurity.com.ua
Thu Nov 27 13:22:46 EST 2008
Hello to Web Security Mailing List!
It's my first letter to the list and I decided to inform community about my
Recently, 12th of November 2008, I found XSS vulnerabilities in 215000 flash
files. As I wrote about at my site http://websecurity.com.ua/2609/ (on
Ukrainian), and this is English version of my article.
During my researches of vulnerability at cpmstar.com
(http://websecurity.com.ua/2607/) which I found at 19.01.2008, I found that
in Internet there are many flash files with the same vulnerability. In total
there are up to 215000 flash files in Internet which are vulnerable to
Cross-Site Scripting (at more than 200000 sites).
It's seen from data of Google:
http://www.google.com.ua/search?q=filetype%3Aswf+inurl%3AclickTAG (note: for
current time Google shows other number, which is common for it)
And these are only those flashes, which were indexed by Google, and actually
there can be much more of them. In results there are site with non
vulnerable flash files (or sites which not have mentioned flashes already),
but this is single instances, and almost all sites in search results of
Google are vulnerable. Besides, last year I wrote already, that 500000 flash
files at popular sites are vulnerable to XSS
Vulnerability in the next AS code:
Attack occurs via passing of XSS code to flash file in parameter clickTAG:
After click on flash the transfer to function occurs of getURL string, which
passed to flash via parameter clickTAG. Thus can be executed JS code, which
was passed to flash.
Note, that flashes with target = “_blank” (in getURL) not allow to get to
cookies. And they also not work in IE6. If target set to not “_blank” (or
not set at all), then flashes give possibility to get to cookies in all
browsers (and they work in IE6).
Here are another examples of vulnerable flashes at three sites:
There are similar flashes, which are using variable clickTAG, with the next
Attack occurs with using of variables clickTAG and TargetAS:
This allows to get to cookies in all browsers and attack normally works in
These XSS - it's strictly social XSS, which I mentioned already concerning
vulnerability at craigslist.org (http://websecurity.com.ua/2206/). First
time this type of XSS holes I introduced last year with Cross-Site Scripting
in Mozilla and Firefox (http://websecurity.com.ua/1413/). I'll write in
detail about this class of vulnerabilities.
Best wishes & regards,
Administrator of Websecurity web site
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity