__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                       Flash Authoring Tool Vulnerability
                     [US-CERT Vulnerability Note VU#249337]

January 3, 2008 22:00 GMT                                         Number S-101
______________________________________________________________________________
PROBLEM:       A number of authoring tools for Flash content may generate 
               files that contain cross-site scripting vulnerabilities. 
PLATFORM:      Flash Authoring Tools 
DAMAGE:        May be vulnerable to cross-site scripting vulnerabilities. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. May be vulnerable to cross-site scripting 
ASSESSMENT:    vulnerabilities. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/s-101.shtml 
 ORIGINAL BULLETIN:  http://www.kb.cert.org/vuls/id/249337 
______________________________________________________________________________
[***** Start US-CERT Vulnerability Note VU#249337 *****]

Vulnerability Note VU#249337
Flash authoring tools create Flash files that contain cross-site scripting vulnerabilities
Overview
A number of authoring tools for Flash content may generate files that contain 
cross-site scripting vulnerabilities. Any site hosting Flash generated by an 
affected tool could be vulnerable to cross-site scripting. 
I. Description
ActionScript is a scripting language based on ECMAScript (also referred to as 
JavaScript) used primarily for the development of websites and software using 
Adobe Flash. The resulting Flash content is typically published in the form of 
SWF files embedded in web pages. ActionScript within a Flash file creates dynamic 
content on the web and interacts with web browsers in a manner similar to JavaScript, 
VBScript, and other client-side scripting languages. As with traditional script 
content in HTML pages, improperly validated user-controlled input in Flash files 
can execute arbitrary ActionScript and JavaScript in the context of the domain 
hosting the affected Flash file. One specific type of vulnerability depends on the 
behavior of a special ActionScript protocol called asfunction. The asfunction 
protocol is used for URLs in HTML text fields and causes a link to invoke an 
ActionScript function in a Flash file instead of opening a URL. An attacker could 
call all public and static functions by supplying a string parameter to asfunction. 
There exist other types of vulnerabilities as well. 
Applications that generate Flash files (e.g., "save as SWF", "export to SWF", 
etc.) by using vulnerable templates or by including static Flash content like a 
controller may automatically insert generic and vulnerable ActionScript into 
saved files. As a result, all Flash files generated by these affected applications 
create cross-site scripting vulnerabilities in the domains hosting these files. 
Furthermore, exploitation of these vulnerabilities would be consistent across all 
sites using a particular product and vulnerable sites could be identified through 
a web search. 

II. Impact
Any website hosting Flash files generated by an affected product is vulnerable 
to cross-site scripting in the context of the domain hosting the vulnerable file. 
Secondary impacts include the ability to spoof or modify web content, access 
website information such as cookies, or retrieve data from an encrypted HTTPS 
connection. For a more detailed description of the impact of cross-site scripting 
vulnerabilities, please see CERT Advisory CA-2000-02. 
III. Solution
Upgrade or apply an update or patch 
Updates for affected authoring tools have been released to address this issue. 
Please see the Systems Affected section of this document for more information. 
Note that this section is not complete, vendors that create vulnerable Flash 
authoring tools may not be listed.

Vulnerable Flash files must be regenerated after the affected authoring tools 
have been updated.

Adobe has included mitigations in Flash Player to block attacks against some 
cross-site scripting vulnerabilities in Flash files (APSB07-20).

Workarounds

Until patches can be applied and affected Flash files regenerated, website 
owners may wish to remove automatically generated Flash files or at least 
serve automatically generated Flash files from "safe" domains, such as numbered 
IP addresses.

Developers of applications that save to SWF are encouraged to perform proper 
input validation on all user definable variables used in URL loading 
ActionScript functions and the htmlText variable. Specifically, 

Whitelist protocol handlers to allow only "http:" and "https:" in all URL 
loading functions. 
Whitelist characters in user definable input when used in getURL(). Do not 
rely on escape(). When feasible, only allow alphanumeric characters. 
Whitelist and/or HTML entity encode user input in htmlText. 
Load SWF files from relative URLs. The relative URL should not contain "..". 
Systems Affected
Vendor Status Date Updated 
Adobe Vulnerable 2-Jan-2008 
Autodemo Vulnerable 13-Dec-2007 
InfoSoft Global Vulnerable 13-Dec-2007 
TechSmith Corporation Vulnerable 13-Dec-2007 

References

http://www.wisec.it/sectou.php?id=464dd35c8c5ad
http://eyeonsecurity.org/papers/flash-xss.pdf
http://docs.google.com/View?docid=ajfxntc4dmsq_14dt57ssdw
http://www.adobe.com/support/security/advisories/apsa07-06.html
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html
http://code.google.com/p/flash-validators/
https://www.owasp.org/index.php/Category:SWFIntruder
http://www.mhprofessional.com/product.php?isbn=0071494618 

Credit
Thanks to Rich Cannings of the Google Security Team for reporting this 
vulnerability. Stefano Di Paola of Minded Security originally published 
information about the general problem of cross-site scripting in Flash 
applications. 

This document was written by Chad Dougherty. 

Other Information
Date Public 05/18/2007 
Date First Published 01/02/2008 03:16:35 PM 
Date Last Updated 01/02/2008 
CERT Advisory   
CVE Name   
Metric 5.40 
Document Revision 48 


[***** End US-CERT Vulnerability Note VU#249337 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of US-CERT for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

S-091: MySQL Security Update
S-092: Adobe Flash Player Vulnerability
S-093: ClamAV Vulnerabilities
S-094: IBM Lotus Domino Web Access Vulnerability
S-095: Linux-2.6 Vulnerabilities
S-096: Application Inspection Vulnerability in Cisco Firewall Services Module
S-097: libexif Security Update
S-098: HP-UX Running rpc.yppasswdd Vulnerability
S-099: PeerCast Vulnerability
S-100: GNU Tar Vulnerabilities