TUCoPS :: Windows Apps :: bt-21520.htm

Adobe Flex 3.3 SDK DOM-Based XSS
Adobe Flex 3.3 SDK DOM-Based XSS
Adobe Flex 3.3 SDK DOM-Based XSS

=================================================Adobe Flex 3.3 SDK DOM-Based XSS
Public Release Date: 8/19/2009
Adam Bixby - Gotham Digital Science
Affected Software:  Adobe Flex 3.3 SDK and earlier

=================================================1. Summary
Adobe Flex is a software development kit released by Adobe Systems for the development and deployment of cross-platform rich Internet applications based on the Adobe Flash platform. An instance of a DOM-based Cross Site Scripting (XSS) vulnerability was found in the default index.template.html of the SDK that is an HTML template used by FlexBuilder to generate the wrapper html for all the application files in your project. The XSS vulnerability appears to affect all user's that download and utilize this HTML wrapper. You can find more information on DOM-based XSS here: http://www.owasp.org/index.php/DOM_Based_XSS 

The vendor (Adobe Systems) was notified of this issue on June 29, 2009. The vendor responded by releasing version 3.4 on August 19, 2009 and has also issued a security bulletin: http://www.adobe.com/support/security/bulletins/apsb09-13.html. 

=================================================2. Technical Details
File: index.template.html

1) Data enters via URL parameters through the window.location javascript object, is then stored into MMredirectURL variable, and passed to the AC_FL_RunContent() function.

Line 59:
var MMredirectURL = window.location;

Line 63:
            "FlashVars", "MMredirectURL=" MMredirectURL '&MMplayerType=' MMPlayerType '&MMdoctitle=' MMdoctitle "",

2) The MMredirectURL variable with user-controllable input is passed to AC_GetArgs and ultimately to AC_Generateobj, which performs a document.write. Writing the un-validated data to HTML creates the XSS exposure.

File: AC_OETags.js

Line 200:
function AC_FL_RunContent(){
  var ret = 
    (  arguments, ".swf", "movie", "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
     , "application/x-shockwave-flash"
  AC_Generateobj(ret.objAttrs, ret.params, ret.embedAttrs);

Line 178:
function AC_Generateobj(objAttrs, params, embedAttrs) 
    var str = '';
    if (isIE && isWin && !isOpera)
  		str  = ' ';
  		str  = '';
    } else {
  		str  = ' 

=================================================4. Recommendation 
Update to Flex 3.4 SDK or view Adobe's TechNotes on how to manually fix the issue: http://kb2.adobe.com/cps/495/cpsid_49530.html 

=================================================5. About Gotham Digital Science 
Gotham Digital Science (GDS) is an international security services company specializing in Application and Network Infrastructure security, and Information Security Risk Management. For more information on GDS, please contact labs (at) gdssecurity.com or visit http://www.gdssecurity.com. 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH