Closed Bug 502047 Opened 15 years ago Closed 14 years ago

Flash parameter injection and cross site scripting when clicking on a malicious URL

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: lzcarl, Unassigned)

References

Details

(Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

Hi, all,

I found out a Flash Parameter Injection Vulnerability in Firefox 3.0+. 
First, I create a vulnerable flash named "myFlash" which uses navigateToURL API and the parameter is provided from FlashVar named "input". And I upload this Flash to a site such as www.mySite.com.
Second, I craft a link like
http://www.mySite.com/myFlash.swf?input=javascript:alert(1)
Third, I can send this link to other victim. When victim clicks on this link, the javascript code will be executed in the domain of www.mySite.com. I think it is a XSS vulnerability.

Here is my PoC link:
http://www.cs.indiana.edu/~lizho/click_to_navigate.swf?insc=javascript:alert%28document.cookie%29

When clicking on the button, the js code will be executed.

I think the js code should not be executed even if my Flash doesn't do sanitization. 

Reproducible: Always

Actual Results:  
XSS code executed.

Expected Results:  
The XSS code should be stopped.
I found out that IE will disallow the execution of javascript in the PoC, but Firefox will permit such execution. I don't know why Firefox will allow this, since this will give attacker a chance to steal user's credential just by sending a malicious URL.
Component: Security → Plug-ins
Product: Firefox → Core
QA Contact: firefox → plugins
See bug 372346.  Apparently disabling javascript: URLs broke Flash itself somehow?
Blocks: xss
Group: core-security
Whiteboard: [sg:want?]
Blocks: 372346
Flash (at least the NPAPI version) uses things like javascript:document.location all over the place to get information about the page it's running on.

I can't speak to the ActiveX version of Flash, which is what IE would be using.

We should probably cc the flash folks on this.
I can't reproduce this with the reporters PoC and the latest versions of Flash and Firefox 3.5.5.
Whiteboard: [sg:want?] → [sg:needinfo]
The functions navigateToURL and getURL are the methods in which an ActionScript developer can send URLs to the web browser for browser navigation.  It is true that a piece of SWF content could use these APIs to send javascript: URLs to the browser.  Many developers, such as those who create advertisements, will use these APIs along with javascript: URLs to communicate javascript commands to the hosting HTML. For instance, here are two common examples:

http://www.adspeed.com/Knowledges/855/Banner_Richmedia_Text/Expandable_rollover_Flash_ad.html
http://www.digitalartsonline.co.uk/tutorials/index.cfm?featureid=1773&pn=3

This is similar in concept to an anchor tag with a javascript: URL. The SWF content is just taking advantage of the javascript: URL support already provided by the web browser. Also, any plugin technology can send javascript: URLs to the web browser. This is not limited to SWF content. 

Adobe does provide some guidance on validating URLs prior to supplying them to navigateToURL() within our documentation: http://help.adobe.com/en_US/AS3LCR/Flash_10.0/flash/net/package.html#navigateToURL%28%29

While blocking javascript: URLs from Flash could reduce some XSS attacks, it will also break legitimate content.
Peleus, the question is why the IE version of your plug-in seems to have a different behavior here.
The difference in behavior has to due with the browsers.  Internet Explorer 7 introduced new security restrictions on  javascript: URL calls: http://msdn.microsoft.com/en-us/library/dd565656(VS.85).aspx  However, this was a decision that was made for all javascript: calls and not just those that originated from plugins.

Also, the test case provided does not actually try to load a javascript: URL.  It tries to load a malformed SWF from a Yahoo domain.
Is this a WONTFIX then? It's well-known that 
 1) if your site hosts random uploaded flash content then that content has
    easy access to attack your site
 2) if your page includes 3rd-party flash it has access to your page
    contents if the AllowScriptAccess param is set to "always". For very
    old flash (< 9.0.115) this was the default if the param was missing,
    but nowadays the default is "sameOrigin".

There's nothing particularly evil or special about flash with respect to behavior 1). If a site allows you to upload random HTML or Java classes you get the same results.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.