Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Flex 3.3 Cross Site Scripting

🗓️ 23 Aug 2009 00:00:00Reported by Adam BixbyType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 40 Views

Adobe Flex 3.3 SDK DOM-Based XSS vulnerability in index.template.htm

Code
`==================================================  
Adobe Flex 3.3 SDK DOM-Based XSS  
Public Release Date: 8/19/2009  
Adam Bixby - Gotham Digital Science  
Affected Software: Adobe Flex 3.3 SDK and earlier  
  
==================================================  
1. Summary  
==================================================  
  
Adobe Flex is a software development kit released by Adobe Systems for the  
development and deployment of cross-platform rich Internet applications  
based on the Adobe Flash platform. An instance of a DOM-based Cross Site  
Scripting (XSS) vulnerability was found in the default index.template.html  
of the SDK that is an HTML template used by FlexBuilder to generate the  
wrapper html for all the application files in your project. The XSS  
vulnerability appears to affect all user's that download and utilize this  
HTML wrapper. You can find more information on DOM-based XSS here:  
http://www.owasp.org/index.php/DOM_Based_XSS  
  
  
The vendor (Adobe Systems) was notified of this issue on June 29, 2009. The  
vendor responded by releasing version 3.4 on August 19, 2009 and has also  
issued a security bulletin:  
http://www.adobe.com/support/security/bulletins/apsb09-13.html.  
  
  
==================================================  
2. Technical Details  
==================================================  
  
File: index.template.html  
  
1) Data enters via URL parameters through the window.location javascript  
object, is then stored into MMredirectURL variable, and passed to the  
AC_FL_RunContent() function.  
  
Line 59:  
.snip..  
var MMredirectURL = window.location;  
.snip..  
  
Line 63:  
AC_FL_RunContent(  
..snip..  
"FlashVars", "MMredirectURL=" MMredirectURL '&MMplayerType='  
MMPlayerType '&MMdoctitle=' MMdoctitle "",  
..snip..  
  
2) The MMredirectURL variable with user-controllable input is passed to  
AC_GetArgs and ultimately to AC_Generateobj, which performs a  
document.write. Writing the un-validated data to HTML creates the XSS  
exposure.  
  
File: AC_OETags.js  
  
Line 200:  
function AC_FL_RunContent(){  
var ret =  
AC_GetArgs  
( arguments, ".swf", "movie",  
"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"  
, "application/x-shockwave-flash"  
);  
AC_Generateobj(ret.objAttrs, ret.params, ret.embedAttrs);  
}  
  
Line 178:  
function AC_Generateobj(objAttrs, params, embedAttrs)  
{  
var str = '';  
if (isIE && isWin && !isOpera)  
{  
str = '<object ';  
for (var i in objAttrs)  
str = i '="' objAttrs[i] '" ';  
str = '>';  
for (var i in params)  
str = '<param name="' i '" value="' params[i]  
'" /> ';  
str = '</object>';  
} else {  
str = '<embed ';  
for (var i in embedAttrs)  
str = i '="' embedAttrs[i] '" ';  
str = '> </embed>';  
}  
  
document.write(str);  
}  
  
  
NOTE: For the exploit to work, the end user must have installed an older  
version of Adobe Flash than the value that is set in the Globals variable  
"requiredMajorVersion" (Line 36).  
  
==================================================  
3. Proof-of-Concept Exploit  
==================================================  
  
This vulnerability can be exploited against any Flex based application that  
uses the index.template.html wrapper page containing the code above. In  
order to exploit this issue, the end user must have Adobe Flash installed,  
but it must be an older version than the required one set by the application  
owner (set in Globals variable "requiredMajorVersion").  
  
Reproduction Request:  
http://FlexApp/Flex/index.template.html  
?"/></object><script>alert('XSS')</script>  
  
  
==================================================  
4. Recommendation  
==================================================  
  
Update to Flex 3.4 SDK or view Adobe's TechNotes on how to manually fix the  
issue: http://kb2.adobe.com/cps/495/cpsid_49530.html  
  
  
==================================================  
5. About Gotham Digital Science  
==================================================  
  
Gotham Digital Science (GDS) is an international security services company  
specializing in Application and Network Infrastructure security, and  
Information Security Risk Management. For more information on GDS, please  
contact labs (at) gdssecurity.com or visit http://www.gdssecurity.com.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Aug 2009 00:00Current
0.3Low risk
Vulners AI Score0.3
adobe flexcross site scriptingdom-based xsssecurity bulletinexploitadobe flashflexbuilderhtml wrapperadobe systemsgotham digital sciencetechnotesadobe flex 3.4 sdkupdate
40