Flash Application Security Series [2] -- Discuz! X2.5 reflected cross-site

Discuz! X2.5 a Flash application has a vulnerability that may cause cross-site scripting attacks. The last time we talked about flash. external. externalInterface. call ($ methodName, $ parameter) in the browser is executed by try {_ flash _ toXML ($ methodName ("$ parameter");} catch (e) {"<undefined/>";} For the first $ methodName passed in, flash player does not undergo any encoding when outputting the js function, in the previous example, $ methodName is fully controllable, but after we understand the script execution principle, $ methodName only needs to be partially controllable, we can also inject special characters to execute any JS Code. For example, flash. external. externalInterface. call ("object. "+ $ methodName, $ parameter) $ methodName = a ()} catch (e) {alert (/xss/)} // The result is that the object does not exist. method a, jump to catch, and execute any JS constructed by us. Try {_ flash _ toXML (object. a ()} catch (e) {alert (/xss/)} // ("$ parameter");} catch (e) {"<undefined/>";} The most famous example of this type of xss is the Wordpress xss that broke out in the middle of last year. WooYun: WordPress reflected XSS) the cup is Discuz! X2.5 uses the same swfupload module and the previous version is fixed. Vulnerability file: upload \ static \ image \ common \ swfupload.swf original SWF download: http://swfpoc.appspot.com/vul/discuz_swfupload.swf http://bbs.open.qq.com/static/image/common/swfupload.swf?movieName=%22 ])} Catch (e) {if (! Window. x) {window. x = 1; alert (/xss/)} // A Lot Of discuz x2.5 forums. I really want to submit them one by one.
 Solution:

Has your website been patched? Not in the patch package ....