4.3 - VU#249337

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Flash authoring tools create Flash files that contain cross-site scripting vulnerabilities

Informations
Name	VU#249337	First vendor Publication	2008-01-02
Vendor	VU-CERT	Last vendor Modification	2008-01-17
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#249337

Flash authoring tools create Flash files that contain cross-site scripting vulnerabilities

Overview

A number of authoring tools for Flash content may generate files that contain cross-site scripting vulnerabilities. Any site hosting Flash generated by an affected tool could be vulnerable to cross-site scripting.

I. Description

ActionScript is a scripting language based on ECMAScript (also referred to as JavaScript) used primarily for the development of websites and software using Adobe Flash. The resulting Flash content is typically published in the form of SWF files embedded in web pages. ActionScript within a Flash file creates dynamic content on the web and interacts with web browsers in a manner similar to JavaScript, VBScript, and other client-side scripting languages. As with traditional script content in HTML pages, improperly validated user-controlled input in Flash files can execute arbitrary ActionScript and JavaScript in the context of the domain hosting the affected Flash file. One specific type of vulnerability depends on the behavior of a special ActionScript protocol called asfunction. The asfunction protocol is used for URLs in HTML text fields and causes a link to invoke an ActionScript function in a Flash file instead of opening a URL. An attacker could call all public and static functions by supplying a string parameter to asfunction. There exist other types of vulnerabilities as well.

Applications that generate Flash files (e.g., "save as SWF", "export to SWF", etc.) by using vulnerable templates or by including static Flash content like a controller may automatically insert generic and vulnerable ActionScript into saved files. As a result, all Flash files generated by these affected applications create cross-site scripting vulnerabilities in the domains hosting these files. Furthermore, exploitation of these vulnerabilities would be consistent across all sites using a particular product and vulnerable sites could be identified through a web search.

II. Impact

Any website hosting Flash files generated by an affected product is vulnerable to cross-site scripting in the context of the domain hosting the vulnerable file. Secondary impacts include the ability to spoof or modify web content, access website information such as cookies, or retrieve data from an encrypted HTTPS connection. For a more detailed description of the impact of cross-site scripting vulnerabilities, please see CERT Advisory CA-2000-02.

III. Solution

Upgrade or apply an update or patch

Updates for affected authoring tools have been released to address this issue. Please see the Systems Affected section of this document for more information. Note that this section is not complete, vendors that create vulnerable Flash authoring tools may not be listed.

Vulnerable Flash files must be regenerated after the affected authoring tools have been updated.

Adobe has included mitigations in Flash Player to block attacks against some cross-site scripting vulnerabilities in Flash files (APSB07-20).

Workarounds

Until patches can be applied and affected Flash files regenerated, website owners may wish to remove automatically generated Flash files or at least serve automatically generated Flash files from "safe" domains, such as numbered IP addresses.

Developers of applications that save to SWF are encouraged to perform proper input validation on all user definable variables used in URL loading ActionScript functions and the htmlText variable. Specifically,

Whitelist protocol handlers to allow only "http:" and "https:" in all URL loading functions.
Whitelist characters in user definable input when used in getURL(). Do not rely on escape(). When feasible, only allow alphanumeric characters.
Whitelist and/or HTML entity encode user input in htmlText.
Load SWF files from relative URLs. The relative URL should not contain "..".

Systems Affected

Vendor	Status	Date Updated
Adobe	Vulnerable	17-Jan-2008
Autodemo	Vulnerable	13-Dec-2007
InfoSoft Global	Vulnerable	13-Dec-2007
TechSmith Corporation	Vulnerable	13-Dec-2007

References

http://www.wisec.it/sectou.php?id=464dd35c8c5ad
http://eyeonsecurity.org/papers/flash-xss.pdf
http://docs.google.com/View?docid=ajfxntc4dmsq_14dt57ssdw
http://www.adobe.com/support/security/advisories/apsa07-06.html
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html
http://code.google.com/p/flash-validators/
https://www.owasp.org/index.php/Category:SWFIntruder
http://www.mhprofessional.com/product.php?isbn=0071494618

Credit

Thanks to Rich Cannings of the Google Security Team for reporting this vulnerability. Stefano Di Paola of Minded Security originally published information about the general problem of cross-site scripting in Flash applications.

This document was written by Chad Dougherty.

Other Information

Date Public	05/18/2007
Date First Published	01/02/2008 03:16:35 PM
Date Last Updated	01/17/2008
CERT Advisory
CVE Name
Metric	5.40
Document Revision	49

Original Source

Url : http://www.kb.cert.org/vuls/id/249337

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Adobe Dreamweaver cpe:2.3:a:adobe:dreamweaver::::::::	1
Application	Infosoftglobal Fusion Charts cpe:2.3:a:infosoftglobal:fusion_charts::::::::	1
Application	Techsmith Camtasia Studio cpe:2.3:a:techsmith:camtasia_studio:4.0.1:::::::* cpe:2.3:a:techsmith:camtasia_studio:4.0.0:::::::* cpe:2.3:a:techsmith:camtasia_studio:3.1.2:::::::* cpe:2.3:a:techsmith:camtasia_studio:3.1.1:::::::* cpe:2.3:a:techsmith:camtasia_studio:3.1.0:::::::* cpe:2.3:a:techsmith:camtasia_studio:3.0.2:::::::* cpe:2.3:a:techsmith:camtasia_studio:3.0.1:::::::* cpe:2.3:a:techsmith:camtasia_studio:3.0.0:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.1.2:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.1.1:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.1.0:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.0.5:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.0.4:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.0.3:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.0.2:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.0.1:::::::* cpe:2.3:a:techsmith:camtasia_studio:2.0:::::::* cpe:2.3:a:techsmith:camtasia_studio:1.1.1:::::::* cpe:2.3:a:techsmith:camtasia_studio:1.1:::::::* cpe:2.3:a:techsmith:camtasia_studio:1.0.1:::::::* cpe:2.3:a:techsmith:camtasia_studio:1.0:::::::*	21

Open Source Vulnerability Database (OSVDB)

Id	Description
56437	InfoSoft FusionCharts Shockwave Flash (SWF) Actionscript dataURL Parameter IM...
56436	Adobe Dreamweaver Shockwave Flash (SWF) Actionscript skinName Parameter asfun...
40102	Camtasia Studio Pre-generated SWF File csPreloader Parameter XSS TechSmith Camtasia contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'csPreloader' variable upon calling an SWF file. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Nessus® Vulnerability Scanner

Date	Description
2008-01-10	Name : The remote Windows host contains an application that reportedly allows arbitr... File : camtasia_cspreloader_cmd_exec.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:07:39	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	3
CPE ID(s)	23
osvdb(s)	3
Nessus® Exploit(s)	1

	Related
4.3	CVE-2008-6062
4.3	CVE-2008-6061
4.3	CVE-2008-6060
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)