0
XSS in Automatically Generated and Controller SWFs
Popularity: 1
Simplicity: 5
Impact: 8
Risk Rating: 9
Many applications automatically generate SWFs (e.g., ???Save as SWF??? or ???export to
SWF???). The output is generally one or more SWF and HTML files that are intended be
published on a company website. Unfortunately, many of these applications including
Adobe Dreamweaver, Adobe Connect, Macromedia Breeze, Techsmith Camtasia,
Autodemo, and InfoSoft FusionChart create SWF files with the same XSS Vulnerabilities
as noted in this chapter. As of October 28, 2007, an estimated 500,000 SWFs are vulnerable,
which affect a considerable percentage of major Internet sites. Thus, be cautious of all
SWFs you host, not just the ones you wrote.
Adobe provides some protection against asfunction: based XSS in their upcoming
Flash Player release, but many SWFs created with the above applications will still be
exploitable. Furthermore, there are probably many more applications that generate
vulnerable SWFs. For more information see US-CERT vulnerability note VU#249337.
Securing Your Flash Applications
Flash and ActionScript developers must understand that insecure Flash applications
impact their users as much as server-side web application insecurities.
Pages:
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411