exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

clickTAG.txt

clickTAG.txt
Posted Apr 16, 2003
Site securiteam.com

A vulnerability discovered in Macromedia Flash in the advertisement user tracking field allows a remote user to perform Cross Site Scripting attacks and retrieve session information.

tags | advisory, remote, xss
SHA-256 | 34cb76eaf3582ec18e4bc5d34fcd6e9901f19799e986a3588f9d2598636673d3

clickTAG.txt

Change Mirror Download
This advisory is available online at:
http://www.securiteam.com/securitynews/5XP0B0U9PE.html


Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy
Breach
------------------------------------------------------------------------


SUMMARY

"Over 497 million Internet users now use Macromedia Flash Player to
seamlessly view content created with Macromedia Flash, the solution for
developing rich Internet content and applications."

A vulnerability discovered in Macromedia Flash ad user tracking field
allows a remote user to perform Cross-Site-Scripting attacks and
retrieve
session information.



DETAILS

About the 'clickTAG' option:

Macromedia flash supplies user-tracking field to swf (flash movies) ads:
"The clickTAG is the tracking code assigned by the ad serving network to

an individual ad. The clickTAG allows the network to register where the
ad
was displayed when it was clicked on. This click through data is
reported
to the ad serving servers so advertisers may determine the effectiveness

of their campaign.

The code below will allow ad serving networks to dynamically assign a
clickTAG to their ad.

In this example, a getURL action is being assigned to a button that will

navigate the browser to ["clickTAG"]. The "getURL(clickTAG)" statement
appends the variable data passed in via the OBJECT EMBED tag and
navigates
the browser to that location. It is the tracking code assigned by the ad

serving network, which allows them to register a user's click on that
advertisement.

<EMBED src="ad_banner_example.swf?clickTAG=
http://adnetwork.com/tracking?http://www.destinationURL.com" > ..."

The information was taken from Macromedia designer's guide:
http://www.macromedia.com/resources/richmedia/tracking/designers_guide/

Vulnerability details:

Vulnerability in the clickTAG field enables a remote user to run
malicious
javascript code in the context of the remote web site, and therefore
retrieve session information and possibly other sensitive information.
For example in the following script:
http://www.example.com/victim.swf?clickTag=XXXX
("XXXX" = arbitrary script or tag)

Replacing "XXXX" with a script to steal cookies will enable an attacker
to
perform session hijacking if the session is saved in the cookie, or to
gain the private information present in ad tracking cookies.

Solution:

"A new player version is NOT required. Macromedia Flash advertisements
that accept clickTAGs need to validate that the clickTAG URL begins with

"http:". This helps ensure the clickTAG does not contain malicious
code."
Quote from the official Macromedia security advisory.

We recommend that all user input should be filtered for malicious code
and
characters and never trusted "as-is".

Vendor status:
We would like to thank Macromedia for its prompt response and
cooperation
for solving this issue.
Macromedia quickly acted to notify possibly affected sites and has
released an official security announcement, which can be found at:

http://www.macromedia.com/support/flash/ts/documents/clicktag_security.h
tm.

Macromedia has also revised the Designer's Guide and added this note:
"Note: The ActionScript in this Flash advertisement is verifying that
the
clickTAG URL begins with "http:". This is an important security measure.

If you do not take this precaution, a malicious HTML page could source
your SWF and pass a clickTAG URL that begins with "javascript:" or
another
scripting pseudo-protocol. If your ActionScript code were to call getURL

with a maliciously crafted JavaScript URL, it would be possible for the
site serving the malicious HTML page to obtain the contents of your HTTP

cookies or perform other actions on your site's behalf."


ADDITIONAL INFORMATION

The vulnerability was reported by Scan Security Wire
<http://www.scan-web.com>.


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of
any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close