Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5423.htm

Flash with embedded Javascript bypass all browser & web sites protections for CSS



11th Jun 2002 [SBWID-5423]
COMMAND

	Flash with embeeded  Javascript  bypass  all  browser  &  web  sites
	protections for CSS

SYSTEMS AFFECTED

	All web sites allowing users to upload flash

PROBLEM

	Obscure from EyeonSecurity [http://eyeonsecurity.net/] found  a  way  to
	use flash in cross site scripting.
	

	 Abstract

	 ========

	

	In this document  we  will  be  describing  a  loophole,  with  security
	implications, found in many websites that allow Flash  documents  to  be
	inserted within HTML, or uploaded to the server. This  paper  relies  on
	the fact that a huge number of web  surfers  have  installed  Macromedia
	Flash plugin/ActiveX control, for an attacker  to  launch  a  Cross-site
	scripting attack. We will not go into a  lot  of  detail  in  describing
	Cross-site scripting attacks in  general;  However  we  hope  that  this
	paper will explain how Flash documents can be used to inject  JavaScript
	into otherwise well filtered Web Applications.
	

	See http://eyeonsecurity.net/papers/flash-xss.htm for more.

SOLUTION

	Web sites should filter  getURL() in uploaded flash objects.
	

	see paper for more details.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH