Back to list
FlashCanvas 1.5 proxy.php XSS Vulnerability
Dec 11 2013 03:59PM
code 7elements co uk
Title: FlashCanvas proxy.php XSS Vulnerability
Date published: 11 December 2013
Script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ?url? GET parameter and rendering it.
FlashCanvas 1.5 and possibly older.
FlashCanvas is also used in other software frameworks such as WebShims, therefore the affected software maybe wider.
Description of Issue
The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ?url? GET parameter and rendering it. This leads to some interesting possibilities, the one proved being cross-site scripting.
More technical detail can be found here:
We would recommend updating to version 1.6 http://flashcanvas.net/release/1.6
[ reply ]
Copyright 2010, SecurityFocus