Results 1 to 3 of 3

Thread: Houston, we have an XSS at Garage Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Ranchi, Jharkhand
    Blog Entries

    Houston, we have an XSS at Garage

    I want to share details behind a Flash-based XSS at our Garage4Hackers Forum that I found and has been patched.

    Last day, I was uploading a pic for a post here and for some strange reason it was not getting uploaded, I tried to look a bit deeper inside this issue which turned out that our not-so-friendly mod_security module was blocking the file. In the course, I discovered that we use a Flash-based uploader for uploading pictures.

    Name:  uploader.jpg
Views: 1178
Size:  40.5 KB

    So I decompiled it and checked for common sinks that typically causes XSS in SWF files, I searched for and found 2 results in the decompiled code.

    One reference that caught my attention was:

    Code:  , this.elementID, event);

    I looked deeper and found that both this.javaScriptEventHandler and this.elementID were being taken from external input (Flashvars), see snippet below:

    			this.elementID = this.loaderInfo.parameters.YUISwfId;
    			this.javaScriptEventHandler = this.loaderInfo.parameters.YUIBridgeCallback;
    			var jsCheck: * = /^[A-Za-z0-9.]*$/g;
    			if (!jsCheck.test(this.javaScriptEventHandler)) {
    			    this.javaScriptEventHandler = "";
    We can see that there is a RegExp validation on this.javaScriptEventHandler that would prevent our code to reach sink ( But guess what there is no validation with this.elementID . Now we can control the second parameter of but before proceeding let's talk some basic stuff. AS function works like this :

    Code:"sendToJavaScript", input.text);
    This will become something like below, when the compiled ActionScript code (in form of SWF file) will execute inside a browser with Adobe Flash installed.

     try { __flash__toXML(sendToJavaScript, "value of input.text");  } catch (e) {    "<undefined/>";  }

    Some more basics, if value of input.text in above is Test" then it will translate to ... __flash__toXML(sendToJavaScript, "Test\""); ... .Notice " got escaped, we are still inside the string block, but to insert our own JS we need to escape out of the string block.

    Now if the value of input.text is Test\" it will translate to ... __flash__toXML(sendToJavaScript, "Test\\""); ... . Here our slash will escape out the slash of double quotes and we can now break out of the string block and break the try-catch block to append our own JS code like a boss!

    Imagine if the input of input.text is \")}catch(e) {alert('XSS');}// it will become:

    try {   __flash__toXML(sendToJavaScript, "\\")}catch(e) {alert('XSS');}//"));  } catch (e) {    "<undefined/>";  }

    Now let's come back to our Flash-based Uploader, controllable variable is this.elementID which received input via external parameter YUISwfId. If value of YUISwfId is equal to input"\ it will result to the following try-catch block via in the uploader code mentioned at the top of this post :

    Name:  trycatch.jpg
Views: 1027
Size:  16.3 KB

    So, we can set the value of YUISwfId parameter to \"))}catch(e) {alert('XSS');}// to execute our payload, just co-relate it with the example we learned earlier :

    Code:\"))}catch(e) {alert('XSS');}//
    Technically this URL should execute our supplied JS with the origin of domain but IT WON'T as mod_security will kick in and prevent us from doing this..

    We have a sneaky bypass for this, we can use a '#' sign before start of query string, this will force the query string to remain on client-side and prevent it from reaching Mr.mod_security

    Code:\"))}catch(e) {alert('XSS');}//

    Let's see the POC Image:

    Name:  xss.jpg
Views: 1066
Size:  43.0 KB

    And a complete video of analysis:


    1. After Googling around I noticed that it was a known issue in YUI Uploader which was patched back then but still shipped into vBulletin 4.2 which we use at Garage.

    2. I'm really thankful to Rahul Sasi aka FB1H2S for quick fix.

    3. Decompiled code:

    Cheers to every Garage Member
    Last edited by prakhar; 07-04-2013 at 04:59 PM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Blog Entries
    Excellent find prakhar ! Brilliant hackerish attempt to find vulnerability !
    In the world of 0s and 1s, are you a zero or The One !

  3. #3
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Blog Entries
    Nice Find.. & Thanks for Responsible Disclosure

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts