Internet Bug Bounty: Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome

CVE-2015-0337: https://helpx.adobe.com/security/products/flash-player/apsb15-05.html
+
https://code.google.com/p/chromium/issues/detail?can=2&start=0&num=100&q=&groupby=&sort=&id=425280

==VULNERABILITY DETAILS==
It is possible to bypass Flash Cross Domain policy in Google Chrome to read other websites’ contents after a user uploads a file to a destination that redirects the user to the target website. It is also possible to send a file upload request to a target website without checking the cross domain policy by using an open redirect with status code of 307 (or 308).
This attack works as follows:
1- The “FileReference” class provides a means to upload file to a target server in ActionScript.
2- It accepts a URL as the destination for the file upload process.
3- It also has access to the target website’s contents via the “UPLOAD_COMPLETE_DATA” event. This event is dispatched after data is received from the server after a successful upload.
4- If the target website redirects the user to another website, Flash in Google Chrome follows the redirection and discloses the destination content via the “UPLOAD_COMPLETE_DATA” event (first security issue). Moreover, if the target website redirects the user with status code of 307 (or 308), Google Chrome send the same file upload request to the final destination without checking the cross domain policy (second security issue).

==REPRODUCTION CASE==
A SWF PoC file and its ActionScript source has been attached.
This SWF file can be hosted on any website to target other websites.
http://attacker.com/chromeFileUploadCrossDomain.swf?url=redirect.php?input=https://plus.google.com/u/0/

“redirect.php” is just a simple open redirect to the target URL. An example is as follows:
http://attacker.com/chromeFileUploadCrossDomain.swf?url=http://0me.me/demo/openredirect/redirect.php?target=https://plus.google.com/u/0/%26status=301
Note: “0me.me” has an open cross domain policy and that’s why we did not need to host it on “attacker.com”.

An image has been attached that shows the result of exploiting this vulnerability. Source code of the “redirect.php” file has also been attached just for information.