SWFUpload Applet Vulnerabilities

Thursday, March 14, 2013 @ 05:03 PM gHale

An applet that combines Flash and JavaScript and used in millions of websites, called SWFUpload, is vulnerable to content spoofing and a cross-site scripting vulnerability that could lead to the takeover of accounts, according to reports this week.

Applications that use versions and older of SWFUpload are vulnerable, according to a post on Full Disclosure. This includes old versions of WordPress, builds 2.7–3.3.1 in particular, along with versions of content management systems like Dotclear, InstantCMS, AionWeb, Dolphin, SwfUploadPanel for TYPO3 CMS, along with the Archiv plugin for TinyMCE, Liferay Portal, SWFUpload for Drupal, Codeigniter and SentinelleOnAir, according to the warning.

Yahoo Email Attack
Amazon Fixes Security Hole
Security Release for Drupal
Web Site Security Holes

SWFUpload is stable, according to a description on Google Code, but is not in development anymore. The tool works in tandem with Adobe’s Flash Player to simplify uploading multiple, queued files, among other functions.

According to the SecLists warning, old versions of swfupload.swf and alternately titled versions like swfupload_f9.swf, swfupload_f8.swf, swfupload_f10.swf and swfupload_f11.swf are vulnerable while versions of swfupload.swf bundled with WordPress 3.3.2 and higher are safe.

DotClear’s project manager Franck Paul said a fix is already in development. The next version of the open-source web publishing software (2.5) should hit in a few days and include a new swfupload.swf that will fix the potential SWFUpload XSS vulnerability.

“We heard about this yesterday evening and we committed a patch this morning,” Paul said.

XenForo, a British company that makes community forum software, meanwhile claims it acknowledged the problem last summer, patching the issue with a new version of swfupload.swf in June with XenForo 1.1.3.

WordPress fixed the last major issue with SWFUpload last April when it pushed version 3.3.2 of its popular blogging platform. That build addressed a seemingly separate XSS issue (CVE-2012-3414) discovered that spring by Brown University students Neal Poole and Nathan Partlan.

It remains unclear if the XSS and content spoofing issues relate to the earlier issue, however, the author of the Full Disclosure post said these bugs are from November and no one has fixed them.

Leave a Reply

You must be logged in to post a comment.