Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Web tools create XSS headaches
Published: 2008-01-07

Adobe Flash files created by a number of Web authoring platforms could be co-opted by an online fraudster to conduct a cross-site scripting attack, security researchers stated last week.

A paper authored by Google security researcher Richard Cannings found that the Flash files created by at least five Web site authoring systems, including Adobe Dreamweaver and InfoSoft FusionCharts, could be used to to bypass anti-phishing measures. By creating a link that passes Javascript code to the Flash files, an attacker can cause a victim to run malicious code in the security context of a potentially trusted Web server, Canning stated in a summary of his findings.

While pinpointing which sites are running vulnerable Flash files is difficult, hundreds of thousands of Web sites could be affected, Web security researcher Jeremiah Grossman wrote on his blog this weekend.

"Because this issue is NOT a universal XSS as it is the case of the Adobe PDF bug, issues are going to be harder to track down," wrote Grossman, who is the chief technology officer for WhiteHat Security. 'We’re going to have to figure out ways decompile (or) reverse engineer Flash files to determine what authoring tool was used and update our vulnerability scanners so that Flash files can be tested in much the same ways as a web application."

The issue is separate from a vulnerability in Flash files that Adobe fixed last month, the researchers said. Adobe issued a patch in December to fix ten critical vulnerabilities in its Flash software, among them modifications to eliminate cross-site scripting attacks using the asfunction: protocol handler (corrected) and navigateToURL() function. On December 24, InfoSoft fixed its cross-site scripting issue by allowing only the loading of relative URLs, not absolute URLs.

Grossman stressed that vulnerable Flash animations will remain on the Web for some time, as Web developers first have to patch their authoring tools, then create new Flash files and upload those files to their sites. In many cases, a third-party developer maintains the Web site, which will increase delays, he said.

If you have tips or insights on this topic, please contact SecurityFocus.

CORRECTION: An 's' was dropped from Richard Cannings name in the original article, and asfunction: should have been referred to as a protocol handler.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:
Web tools create XSS headaches 2008-01-07
Web tools create XSS headaches 2008-01-08


Privacy Statement
Copyright 2009, SecurityFocus