Security issues caused by third-party Flash Components

As you know, in browsers that do not support sending binary data streams in Ajax mode, you need to use Flash to upload files with progress (upload through the type = file form, you can also get the progress by adding JS regular polling to the server, but it is not covered in this article. Similarly, ActiveX and other solutions are not discussed here ). In addition to displaying the progress, Flash can also add files in batches to limit the file size and type. Up to now, the file upload implemented by Flash is still a mainstream solution in China.

However, a few months ago, several commonly used third-party Flash Upload components were reported with XSS and CSRF vulnerabilities (do not know what XSS/CRSF is, and do not know what they are harmful ). There are two main causes:

One is that when JS is executed through ExternalInterface. call in Flash, the variables passed through queryString in HTML are used, and the parameters are not checked or filtered, resulting in XSS. I know the components that have this problem include SwfUploadV2.2/V2.5 and UploadifyV2.1.4.

In Flash code, Security. allowDomain ('*') destroys the sandbox Security of Flash. This makes it possible for a third party to use this swf file to obtain token and other sensitive information, leading to a CRSF attack. I know the components with this problem are: PluploadV1.5.3.

If you use the Flash Upload Component of the above version in the project, we recommend that you take measures to eliminate risks as soon as possible. For Uploadify and Plupload, the official version has always been updated. We recommend that you update them to the latest version. For SwfUpload, the official source has not been dynamic for two years and should be in the state of unattended maintenance. If you insist on using it, it is recommended to download the source code for modification. Briefly describe the modification method (V2.2 is used as an example, V2.5 is similar): Install FlashDevelop, open the SWFUpload v2.as3proj project file under SWFUpload v2.2.0.1 Core/Flash path in the source code, modify SWFUpload:

This. movieName = root. loaderInfo. parameters. movieName; // modify it to: this. movieName = root. loaderInfo. parameters. movieName. replace (/[^ \ w \. -]/g ,'');

After modification, you can use the following format to verify whether the vulnerability is blocked: www.2cto.com

www.example.com/swfupload.swf?movieName=%22])}catch(e){if(!window.x){alert(1);window.x=1}}try{([%22

In addition, because the Flash Upload Component mentioned above is widely used, you need to troubleshoot and upgrade the open-source web project that is commonly used. For example, the new version released recently by the famous wordpress solves such problems. The new version of the open-source Web Editor KindEditor in China still has problems.

(I will not hesitate to disclose my privacy in this figure :))

Reference: https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

By JerryQu