How Flash becomes a "bomb" in the SNS community"

SNS popular, Discuz! We also recommend that you change Discuz! Software for the Forum to become an SNS websiteUCenter Home. This software can be used for free, a lot of Discuz! The Forum has been upgraded. Search for "Powered by UCenter Home" in the search engine and get about 19400000 results. Our security research team found that this software has security risks and can cause a large number of SNS websites to be infected with Trojans.

I have heard that the SNS social networking website built by UCenter Home can pop up any website. I was surprised to hear that, isn't it possible to mount a Trojan on an SNS social network built in UCenter Home?

After some tests, I found that the UCenter Home security measures have been well performed, and some common code that may have vulnerabilities have been specially handled, but nonePerform script filtering on Flash files uploaded by users.

UCenter Home
ProblemFlash script filtering is lax
Major Hazards website Trojans by hackers
Vulnerability status fixed

I have heard that the SNS social networking website built by UCenter Home can pop up any website. I was surprised to hear that, isn't it possible to mount a Trojan on an SNS social network built in UCenter Home?

Since my colleague dared to say this, it must be well-founded. I decided to look for the source committee and find out the truth. After some tests, I found that the UCenter Home security measures were well performed, and some common code that may have vulnerabilities had been specially handled, but I did not perform script filtering on the Flash files uploaded by users.

Security Encyclopedia: UCenter Home is a set of Social Network Software (SNS) built using PHP + MySQL ). Through this website, users can easily build an SNS communication website with friends as the core, so that site users can use mini blogs to record the details of their daily lives in one sentence, you can easily and quickly publish logs, upload images, share information with friends, and discuss topics of interest.

　Flash script filtering is lax

SNS social media websites allow Flash Animation insertion, but no one thinks of the security risks of Flash. Flash supports a script language named ActionScript, which enables Flash to achieve a lot of interactive effects, but also leaves many hidden dangers, such as the pop-up of new windows, and does not effectively filter the ActionScript, eventually, the UCenter Home can be infected by hackers.

This time, the UCenter Home vulnerability allows hackers to do two things: pop-up webpages and pop-up windows. Compared with General Trojan vulnerabilities, hackers can do more bad things, for example, a hacker outside of the Trojan horse commits a scam by popping up the winning webpage.

Security Encyclopedia: The ActionScript scripting language is developed by Macromedia (which has been acquired by Adobe) for Flash. It was initially a simple scripting language and is now in the latest version 3.0, it is a fully object-oriented programming language with powerful functions and rich class libraries. Its syntax is similar to JavaScript. It is mostly used for Flash interactive, entertaining, and practical development, web page creation and RIA application development.

　　How to Use vulnerabilities to drive Trojans

Step 1: first install Adobe Flash production software, create a new Flash Animation file, and press F9 to bring up the "Action" Panel (figure 1 ). The editing environment of the "Action" Panel consists of two parts: left and right. The left is divided into two windows: Up and down. The top is the action Toolbox window, and the bottom is the script navigation window. Click Add script in the script edit window on the right to add the code "getURL (" http://www.google.cn "," _ top "," GET ");" to the script window ");".

Security Encyclopedia: In the "script" Navigator at the bottom left, lists the frames and objects with associated action scripts in the Flash file. Click the project in the script navigator, the script associated with the project will appear in the script editing window, and the stream play header in the scenario will also be moved to the corresponding position of the timeline. Double-click the project in the script navigator to fix the script.

Step 2: Create a New Flash Animation file and repeat the previous steps. However, the code added in the script editing window is changed to "getURL ("Javascript: Window. location. reload (); alert (xss); "," _ self "," GET ");".

Find a website that can upload Flash animation, upload the two generated Flash animations to the website, and find the URL of the uploaded animation by viewing the source code. Save the address, find an SNS community website built with UCenter Home, and register a user name and password (figure 2 ).

Step 3: After registering an account, click the "Post New log" button to post a post. At this time, there will be a line of shortcuts at the top of the new log Content window on the web page. In the shortcut key, find the button for inserting the Flash Animation and click "insert video Flash" (Figure 3 ).

In the displayed input window, select the animation type as "Flash Animation", enter the URL of the uploaded Flash Animation in the animation URL, and click "OK ".

Exit the Edit page and re-open the new log. The Google website is displayed (figure 4 ).

ThenWindowsPrompt window (figure 5 ).

　Deep Analysis

In the window or webpage popped up in the above example, if you change the address to the webpage Trojan address, it is a webpage Trojan. If you change the pop-up information to "Congratulations, you have won the prize !" Network fraud. It can be seen that this vulnerability has a great hazard.

The direct cause of the vulnerability is Flash, which has never been interrupted since its birth. Almost every version has a large or small vulnerability.

There is a reason why hackers like to exploit Flash vulnerabilities. Flash Trojans are concealed and many websites are allowed to upload Flash files.

In addition, Flash also has some legitimate functions that have security risks. For example, in the pop-up window, the website administrator should pay special attention to some restrictions to filter out the security risks of users uploading Flash files.

You can only use the Flash Player of the website to play the video. You are not allowed to directly insert Flash into the webpage. You must also set that the player does not allow automatic playback of Flash.