COMMAND

	Flash with embeeded  Javascript  bypass  all  browser  &  web  sites
	protections for CSS

SYSTEMS AFFECTED

	All web sites allowing users to upload flash

PROBLEM

	Obscure from EyeonSecurity [http://eyeonsecurity.net/] found  a  way  to
	use flash in cross site scripting.
	

	 Abstract

	 ========

	

	In this document  we  will  be  describing  a  loophole,  with  security
	implications, found in many websites that allow Flash  documents  to  be
	inserted within HTML, or uploaded to the server. This  paper  relies  on
	the fact that a huge number of web  surfers  have  installed  Macromedia
	Flash plugin/ActiveX control, for an attacker  to  launch  a  Cross-site
	scripting attack. We will not go into a  lot  of  detail  in  describing
	Cross-site scripting attacks in  general;  However  we  hope  that  this
	paper will explain how Flash documents can be used to inject  JavaScript
	into otherwise well filtered Web Applications.
	

	See http://eyeonsecurity.net/papers/flash-xss.htm for more.

SOLUTION

	Web sites should filter  getURL() in uploaded flash objects.
	

	see paper for more details.