Web tools create XSS headaches
Posted On Tuesday, January 8, 2008 at at 1/08/2008 06:12:00 AM by null Adobe Flash files created by a number of Web authoring platforms could be co-opted by an online fraudster to conduct a cross-site scripting attack, security researchers stated last week. A paper authored by Google security researcher Richard Canning found that the Flash files created by at least five Web site authoring systems, including Adobe Dreamweaver and InfoSoft FusionCharts, could be used to to bypass anti-phishing measures. By creating a link that passes Javascript code to the Flash files, an attacker can cause a victim to run malicious code in the security context of a potentially trusted Web server, Canning stated in a summary of his findings. While pinpointing which sites are running vulnerable Flash files is difficult, hundreds of thousands of Web sites could be affected, Web security researcher Jeremiah Grossman wrote on his blog this weekend. "Because this issue is NOT a universal XSS as it is the case of the Adobe PDF bug, issues are going to be harder to track down," wrote Grossman, who is the chief technology officer for WhiteHat Security. 'We’re going to have to figure out ways decompile (or) reverse engineer Flash files to determine what authoring tool was used and update our vulnerability scanners so that Flash files can be tested in much the same ways as a web application." The issue is separate from a vulnerability in Flash files that Adobe fixed last month, the researchers said. Adobe issued a patch in December to fix ten critical vulnerabilities in its Flash software, among them modifications to eliminate cross-site scripting attacks using the Grossman stressed that vulnerable Flash animations will remain on the Web for some time, as Web developers first have to patch their authoring tools, then create new Flash files and upload those files to their sites. In many cases, a third-party developer maintains the Web site, which will increase delays, he said.asfunction()
and navigateToURL()
functions. On December 24, InfoSoft fixed its cross-site scripting issue by allowing only the loading of relative URLs, not absolute URLs.