exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe Flex 3.3 Cross Site Scripting

Adobe Flex 3.3 Cross Site Scripting
Posted Aug 23, 2009
Authored by Adam Bixby | Site gdssecurity.com

Adobe Flex versions 3.3 SDK suffers from a DOM-based cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 19e76a5fdee8f5a3cec432ecfb64d9d3567085717670c7c1135650fe4d2e853b

Adobe Flex 3.3 Cross Site Scripting

Change Mirror Download
==================================================
Adobe Flex 3.3 SDK DOM-Based XSS
Public Release Date: 8/19/2009
Adam Bixby - Gotham Digital Science
Affected Software: Adobe Flex 3.3 SDK and earlier

==================================================
1. Summary
==================================================

Adobe Flex is a software development kit released by Adobe Systems for the
development and deployment of cross-platform rich Internet applications
based on the Adobe Flash platform. An instance of a DOM-based Cross Site
Scripting (XSS) vulnerability was found in the default index.template.html
of the SDK that is an HTML template used by FlexBuilder to generate the
wrapper html for all the application files in your project. The XSS
vulnerability appears to affect all user's that download and utilize this
HTML wrapper. You can find more information on DOM-based XSS here:
http://www.owasp.org/index.php/DOM_Based_XSS


The vendor (Adobe Systems) was notified of this issue on June 29, 2009. The
vendor responded by releasing version 3.4 on August 19, 2009 and has also
issued a security bulletin:
http://www.adobe.com/support/security/bulletins/apsb09-13.html.


==================================================
2. Technical Details
==================================================

File: index.template.html

1) Data enters via URL parameters through the window.location javascript
object, is then stored into MMredirectURL variable, and passed to the
AC_FL_RunContent() function.

Line 59:
.snip..
var MMredirectURL = window.location;
.snip..

Line 63:
AC_FL_RunContent(
..snip..
"FlashVars", "MMredirectURL=" MMredirectURL '&MMplayerType='
MMPlayerType '&MMdoctitle=' MMdoctitle "",
..snip..

2) The MMredirectURL variable with user-controllable input is passed to
AC_GetArgs and ultimately to AC_Generateobj, which performs a
document.write. Writing the un-validated data to HTML creates the XSS
exposure.

File: AC_OETags.js

Line 200:
function AC_FL_RunContent(){
var ret =
AC_GetArgs
( arguments, ".swf", "movie",
"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
, "application/x-shockwave-flash"
);
AC_Generateobj(ret.objAttrs, ret.params, ret.embedAttrs);
}

Line 178:
function AC_Generateobj(objAttrs, params, embedAttrs)
{
var str = '';
if (isIE && isWin && !isOpera)
{
str = '<object ';
for (var i in objAttrs)
str = i '="' objAttrs[i] '" ';
str = '>';
for (var i in params)
str = '<param name="' i '" value="' params[i]
'" /> ';
str = '</object>';
} else {
str = '<embed ';
for (var i in embedAttrs)
str = i '="' embedAttrs[i] '" ';
str = '> </embed>';
}

document.write(str);
}


NOTE: For the exploit to work, the end user must have installed an older
version of Adobe Flash than the value that is set in the Globals variable
"requiredMajorVersion" (Line 36).

==================================================
3. Proof-of-Concept Exploit
==================================================

This vulnerability can be exploited against any Flex based application that
uses the index.template.html wrapper page containing the code above. In
order to exploit this issue, the end user must have Adobe Flash installed,
but it must be an older version than the required one set by the application
owner (set in Globals variable "requiredMajorVersion").

Reproduction Request:
http://FlexApp/Flex/index.template.html
?"/></object><script>alert('XSS')</script>


==================================================
4. Recommendation
==================================================

Update to Flex 3.4 SDK or view Adobe's TechNotes on how to manually fix the
issue: http://kb2.adobe.com/cps/495/cpsid_49530.html


==================================================
5. About Gotham Digital Science
==================================================

Gotham Digital Science (GDS) is an international security services company
specializing in Application and Network Infrastructure security, and
Information Security Risk Management. For more information on GDS, please
contact labs (at) gdssecurity.com or visit http://www.gdssecurity.com.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close