Full Disclosure mailing list archives
XSS vulnerabilities in 8 millions flash files
From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 22 Dec 2009 16:19:48 +0200
Hello participants of Full-Disclosure. Recently, 18th of December 2009, I wrote the article XSS vulnerabilities in 8 millions flash files (http://websecurity.com.ua/3781/), and yesterday I wrote English version of it (http://websecurity.com.ua/3789/). I’ll continue a topic, which I started in 2008 in my article XSS vulnerabilities in 215000 flash files (http://www.webappsec.org/lists/websecurity/archive/2008-11/msg00110.html). That time I found hundreds of thousands flash files vulnerable to Cross-Site Scripting attacks. After previous article, published at 12.11.2008, I continued researches and found, that much more flash files - millions flash files - were vulnerable to XSS attacks. As flash files in different global and local banner systems, as flash files at individual sites. Table of contents: 1. Vulnerable ActionScript code. 2. Prevalence of the problem. 3. Nuances of work in different browsers. 4. Examples of vulnerable flash files. 5. Protection of flash files against XSS attacks. Some important quotes: Vulnerability exists in ActionScript code for counting of clicks in flash banners. In total it’s about 8010000 (more than 8 millions) flash files which are potentially vulnerable to XSS attacks. I.e. another 34 millions flashes which are potentially vulnerable to XSS attacks :-). Add 34 millions to 8 millions and result 42 millions of vulnerable flash files! You can read the article XSS vulnerabilities in 8 millions flash files at my site: http://websecurity.com.ua/3789/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS vulnerabilities in 8 millions flash files MustLive (Dec 22)