New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS (cross site scripting) in ZeroClipboard swf files #14

Closed
emanuelb opened this Issue Sep 15, 2012 · 5 comments

Comments

Projects
None yet
4 participants
@emanuelb
Copy link

emanuelb commented Sep 15, 2012

The ZeroClipboard.swf and ZeroClipboard10.swf are vulnerable to XSS attack, example:
http://website/js/ZeroClipboard.swf#?id=\"))}catch(e){alert(/XSS/.source);}//&width=500&height=500
http://website/js/ZeroClipboard10.swf#?id=\"))}catch(e){alert(/XSS/.source);}//&width=500&height=500
http://website/js/ZeroClipboard.swf?id=\"))}catch(e){alert(/XSS/.source);}//&width=500&height=500
http://website/js/ZeroClipboard10.swf?id=\"))}catch(e){alert(/XSS/.source);}//&width=500&height=500

vulnerable code:

public function ZeroClipboard(){
....
var flashvars:Object = LoaderInfo(this.root.loaderInfo).parameters;
id = flashvars.id;
....
ExternalInterface.call("ZeroClipboard.dispatch", id, "load", null);

this files get a id parameter from url and passed it to second parameter inside ExternalInterface.call without any validation(only numbers) or proper escaping\encoding).
I reported the same issue here:
https://code.google.com/p/zeroclipboard/issues/detail?id=103

@jonrohan

This comment has been minimized.

Copy link
Contributor

jonrohan commented Sep 16, 2012

@emanuelb thanks for the report. Any thoughts on how to patch that? It seems like escaping the copy text would end up with incorrect clipped text?

ps. also, the google code repo is dead.

@emanuelb

This comment has been minimized.

Copy link

emanuelb commented Sep 16, 2012

I see that there a fix to this issue at (replace \ with \\):
#2
for some reason the version I downloaded from google code and github didn't contain the fix.

@jonrohan

This comment has been minimized.

Copy link
Contributor

jonrohan commented Sep 16, 2012

Ah yes. The google code ZeroClipboard has stopped development. I contacted the original developer and asked if he was working on it still...long story short, I ended up as maintainer with the new codebase here.

@jonrohan jonrohan closed this Sep 16, 2012

ryalb pushed a commit to ryalb/TableTools that referenced this issue Nov 25, 2014

Fix: XSS issue in Flash
- Reading a flashvar without escaping it appears to be a sure fire way
  of introducing an XSS vunriblity into your code. Crazy that it is
  effectively insecure out of the box, but there we go.

- Thanks to Hip (Insight-labs.org) and Tobias Bäthge for discovering
  this and letting me know.

- More information can be found here:
  zeroclipboard/zeroclipboard#14

ryalb pushed a commit to ryalb/TableTools that referenced this issue Nov 25, 2014

Fix: XSS issue in Flash
- Thanks to Hip (Insight-labs.org) and Tobias Bäthge for discovering
  this and letting me know.

- More information can be found here:
  zeroclipboard/zeroclipboard#14
@paperalta

This comment has been minimized.

Copy link

paperalta commented Feb 5, 2015

Bug is not resolved. Check this

http://ZeroClipboard.swf?id=\%22%29%29}catch%28e%29{alert%28/XSS/.source
%29;}//&width=500&height=500

@JamesMGreene

This comment has been minimized.

Copy link
Member

JamesMGreene commented Feb 6, 2015

@paperalta: Using what version? I cannot reproduce with any relatively modern version of ZeroClipboard and the super-old versions are obviously not going to be patched.

e.g. this does nothing:
http://cdn.rawgit.com/zeroclipboard/zeroclipboard/master/dist/ZeroClipboard.swf?swfObjectId=\%22%29%29}catch%28e%29{alert%28/XSS/.source%29;}//&width=500&height=500

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment