SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Flex (formerly Adobe Flex) Vendors:   Adobe Systems Incorporated
Adobe Flex SDK Input Validation Bug in 'index.template.html' Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1022748
SecurityTracker URL:  http://securitytracker.com/id/1022748
CVE Reference:   CVE-2009-1879   (Links to External Site)
Date:  Aug 20 2009
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3 SDK and prior
Description:   A vulnerability was reported in Adobe Flex SDK. A remote user can conduct cross-site scripting attacks.

The default 'index.template.html' file does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running pages created with the Adobe Flex software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/Flex/index.template.html?"/></object><script>alert('XSS')</script>

The vendor was notified on June 29, 2009.

Adam Bixby of Gotham Digital Science reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the pages created using the Adobe Flex SDK software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (3.4).

The vendor's advisory is available at:

http://www.adobe.com/support/security/bulletins/apsb09-13.html

Vendor URL:  www.adobe.com/support/security/bulletins/apsb09-13.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Linux (SuSE), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Adobe Flex 3.3 SDK DOM-Based XSS

==================================================
Adobe Flex 3.3 SDK DOM-Based XSS
Public Release Date: 8/19/2009
Adam Bixby - Gotham Digital Science
Affected Software:  Adobe Flex 3.3 SDK and earlier

==================================================
1. Summary
==================================================

Adobe Flex is a software development kit released by Adobe Systems for the development and deployment of cross-platform rich Internet
 applications based on the Adobe Flash platform.  An instance of a DOM-based Cross Site Scripting (XSS) vulnerability was found in
 the default index.template.html of the SDK that is an HTML template used by FlexBuilder to generate the wrapper html for all the
 application files in your project.  The XSS vulnerability appears to affect all user's that download and utilize this HTML wrapper.
  You can find more information on DOM-based XSS here: http://www.owasp.org/index.php/DOM_Based_XSS
  

The vendor (Adobe Systems) was notified of this issue on June 29, 2009.  The vendor responded by releasing version 3.4 on August 19,
 2009 and has also issued a security bulletin: http://www.adobe.com/support/security/bulletins/apsb09-13.html.


==================================================
2. Technical Details
==================================================

File: index.template.html

1) Data enters via URL parameters through the window.location javascript object, is then stored into MMredirectURL variable, and passed
 to the AC_FL_RunContent() function.

Line 59:
.snip..
var MMredirectURL = window.location;
.snip..

Line 63:
AC_FL_RunContent(
		..snip..
            "FlashVars", "MMredirectURL=" MMredirectURL '&MMplayerType=' MMPlayerType '&MMdoctitle=' MMdoctitle "",
	        ..snip..

2) The MMredirectURL variable with user-controllable input is passed to AC_GetArgs and ultimately to AC_Generateobj, which performs
 a document.write. Writing the un-validated data to HTML creates the XSS exposure.

File: AC_OETags.js

Line 200:
function AC_FL_RunContent(){
  var ret = 
    AC_GetArgs
    (  arguments, ".swf", "movie", "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
     , "application/x-shockwave-flash"
    );
  AC_Generateobj(ret.objAttrs, ret.params, ret.embedAttrs);
}

Line 178:
function AC_Generateobj(objAttrs, params, embedAttrs) 
{ 
    var str = '';
    if (isIE && isWin && !isOpera)
    {
  		str  = '<object ';
  		for (var i in objAttrs)
  			str  = i   '="'   objAttrs[i]   '" ';
  		str  = '>';
  		for (var i in params)
  			str  = '<param name="'   i   '" value="'   params[i]   '" /> ';
  		str  = '</object>';
    } else {
  		str  = '<embed ';
  		for (var i in embedAttrs)
  			str  = i   '="'   embedAttrs[i]   '" ';
  		str  = '> </embed>';
    }

    document.write(str);
}
 

NOTE: For the exploit to work, the end user must have installed an older version of Adobe Flash than the value that is set in the
 Globals variable "requiredMajorVersion" (Line 36).

==================================================
3. Proof-of-Concept Exploit
==================================================

This vulnerability can be exploited against any Flex based application that uses the index.template.html wrapper page containing the
 code above.  In order to exploit this issue, the end user must have Adobe Flash installed, but it must be an older version than the
 required one set by the application owner (set in Globals variable "requiredMajorVersion"). 

Reproduction Request:
http://FlexApp/Flex/index.template.html?"/></object><script>alert('XSS')</script>


==================================================
4. Recommendation 
==================================================

Update to Flex 3.4 SDK or view Adobe's TechNotes on how to manually fix the issue: http://kb2.adobe.com/cps/495/cpsid_49530.html


==================================================
5. About Gotham Digital Science 
==================================================

Gotham Digital Science (GDS) is an international security services company specializing in Application and Network Infrastructure
 security, and Information Security Risk Management. For more information on GDS, please contact labs (at) gdssecurity.com or visit
 http://www.gdssecurity.com.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC