Closed
Bug 502047
Opened 15 years ago
Closed 14 years ago
Flash parameter injection and cross site scripting when clicking on a malicious URL
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: lzcarl, Unassigned)
References
Details
(Whiteboard: [sg:needinfo])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729) Hi, all, I found out a Flash Parameter Injection Vulnerability in Firefox 3.0+. First, I create a vulnerable flash named "myFlash" which uses navigateToURL API and the parameter is provided from FlashVar named "input". And I upload this Flash to a site such as www.mySite.com. Second, I craft a link like http://www.mySite.com/myFlash.swf?input=javascript:alert(1) Third, I can send this link to other victim. When victim clicks on this link, the javascript code will be executed in the domain of www.mySite.com. I think it is a XSS vulnerability. Here is my PoC link: http://www.cs.indiana.edu/~lizho/click_to_navigate.swf?insc=javascript:alert%28document.cookie%29 When clicking on the button, the js code will be executed. I think the js code should not be executed even if my Flash doesn't do sanitization. Reproducible: Always Actual Results: XSS code executed. Expected Results: The XSS code should be stopped.
I found out that IE will disallow the execution of javascript in the PoC, but Firefox will permit such execution. I don't know why Firefox will allow this, since this will give attacker a chance to steal user's credential just by sending a malicious URL.
Updated•15 years ago
|
Component: Security → Plug-ins
Product: Firefox → Core
QA Contact: firefox → plugins
Comment 2•15 years ago
|
||
See bug 372346. Apparently disabling javascript: URLs broke Flash itself somehow?
Comment 3•15 years ago
|
||
Flash (at least the NPAPI version) uses things like javascript:document.location all over the place to get information about the page it's running on. I can't speak to the ActiveX version of Flash, which is what IE would be using. We should probably cc the flash folks on this.
Comment 4•15 years ago
|
||
I can't reproduce this with the reporters PoC and the latest versions of Flash and Firefox 3.5.5.
Whiteboard: [sg:want?] → [sg:needinfo]
Comment 5•15 years ago
|
||
The functions navigateToURL and getURL are the methods in which an ActionScript developer can send URLs to the web browser for browser navigation. It is true that a piece of SWF content could use these APIs to send javascript: URLs to the browser. Many developers, such as those who create advertisements, will use these APIs along with javascript: URLs to communicate javascript commands to the hosting HTML. For instance, here are two common examples: http://www.adspeed.com/Knowledges/855/Banner_Richmedia_Text/Expandable_rollover_Flash_ad.html http://www.digitalartsonline.co.uk/tutorials/index.cfm?featureid=1773&pn=3 This is similar in concept to an anchor tag with a javascript: URL. The SWF content is just taking advantage of the javascript: URL support already provided by the web browser. Also, any plugin technology can send javascript: URLs to the web browser. This is not limited to SWF content. Adobe does provide some guidance on validating URLs prior to supplying them to navigateToURL() within our documentation: http://help.adobe.com/en_US/AS3LCR/Flash_10.0/flash/net/package.html#navigateToURL%28%29 While blocking javascript: URLs from Flash could reduce some XSS attacks, it will also break legitimate content.
Comment 6•15 years ago
|
||
Peleus, the question is why the IE version of your plug-in seems to have a different behavior here.
Comment 7•15 years ago
|
||
The difference in behavior has to due with the browsers. Internet Explorer 7 introduced new security restrictions on javascript: URL calls: http://msdn.microsoft.com/en-us/library/dd565656(VS.85).aspx However, this was a decision that was made for all javascript: calls and not just those that originated from plugins. Also, the test case provided does not actually try to load a javascript: URL. It tries to load a malformed SWF from a Yahoo domain.
Comment 8•14 years ago
|
||
Is this a WONTFIX then? It's well-known that 1) if your site hosts random uploaded flash content then that content has easy access to attack your site 2) if your page includes 3rd-party flash it has access to your page contents if the AllowScriptAccess param is set to "always". For very old flash (< 9.0.115) this was the default if the param was missing, but nowadays the default is "sameOrigin". There's nothing particularly evil or special about flash with respect to behavior 1). If a site allows you to upload random HTML or Java classes you get the same results.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•