Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS (cross site scripting) in ZeroClipboard swf files #14

Closed
emanuelb opened this issue Sep 15, 2012 · 5 comments

Comments

@emanuelb
Copy link

commented Sep 15, 2012

The ZeroClipboard.swf and ZeroClipboard10.swf are vulnerable to XSS attack, example:
http://website/js/ZeroClipboard.swf#?id=\"))}catch(e){alert(/XSS/.source);}//&width=500&height=500
http://website/js/ZeroClipboard10.swf#?id=\"))}catch(e){alert(/XSS/.source);}//&width=500&height=500
http://website/js/ZeroClipboard.swf?id=\"))}catch(e){alert(/XSS/.source);}//&width=500&height=500
http://website/js/ZeroClipboard10.swf?id=\"))}catch(e){alert(/XSS/.source);}//&width=500&height=500

vulnerable code:

public function ZeroClipboard(){
....
var flashvars:Object = LoaderInfo(this.root.loaderInfo).parameters;
id = flashvars.id;
....
ExternalInterface.call("ZeroClipboard.dispatch", id, "load", null);

this files get a id parameter from url and passed it to second parameter inside ExternalInterface.call without any validation(only numbers) or proper escaping\encoding).
I reported the same issue here:
https://code.google.com/p/zeroclipboard/issues/detail?id=103

@jonrohan

This comment has been minimized.

Copy link
Contributor

commented Sep 16, 2012

@emanuelb thanks for the report. Any thoughts on how to patch that? It seems like escaping the copy text would end up with incorrect clipped text?

ps. also, the google code repo is dead.

@emanuelb

This comment has been minimized.

Copy link
Author

commented Sep 16, 2012

I see that there a fix to this issue at (replace \ with \\):
#2
for some reason the version I downloaded from google code and github didn't contain the fix.

@jonrohan

This comment has been minimized.

Copy link
Contributor

commented Sep 16, 2012

Ah yes. The google code ZeroClipboard has stopped development. I contacted the original developer and asked if he was working on it still...long story short, I ended up as maintainer with the new codebase here.

@jonrohan jonrohan closed this Sep 16, 2012
ryalb pushed a commit to ryalb/TableTools that referenced this issue Nov 25, 2014
- Reading a flashvar without escaping it appears to be a sure fire way
  of introducing an XSS vunriblity into your code. Crazy that it is
  effectively insecure out of the box, but there we go.

- Thanks to Hip (Insight-labs.org) and Tobias Bäthge for discovering
  this and letting me know.

- More information can be found here:
  zeroclipboard/zeroclipboard#14
ryalb pushed a commit to ryalb/TableTools that referenced this issue Nov 25, 2014
- Thanks to Hip (Insight-labs.org) and Tobias Bäthge for discovering
  this and letting me know.

- More information can be found here:
  zeroclipboard/zeroclipboard#14
@paperalta

This comment has been minimized.

Copy link

commented Feb 5, 2015

Bug is not resolved. Check this

http://ZeroClipboard.swf?id=\%22%29%29}catch%28e%29{alert%28/XSS/.source
%29;}//&width=500&height=500

@JamesMGreene

This comment has been minimized.

Copy link
Member

commented Feb 6, 2015

@paperalta: Using what version? I cannot reproduce with any relatively modern version of ZeroClipboard and the super-old versions are obviously not going to be patched.

e.g. this does nothing:
http://cdn.rawgit.com/zeroclipboard/zeroclipboard/master/dist/ZeroClipboard.swf?swfObjectId=\%22%29%29}catch%28e%29{alert%28/XSS/.source%29;}//&width=500&height=500

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.