XSS vulnerabilities in 8 millions flash files

["MustLive" <mustlive () websecurity com ua>]

Hello participants of Full-Disclosure.

Recently, 18th of December 2009, I wrote the article XSS vulnerabilities in
8 millions flash files (http://websecurity.com.ua/3781/), and yesterday I
wrote English version of it (http://websecurity.com.ua/3789/).

I’ll continue a topic, which I started in 2008 in my article XSS
vulnerabilities in 215000 flash files
(http://www.webappsec.org/lists/websecurity/archive/2008-11/msg00110.html).
That time I found hundreds of thousands flash files vulnerable to Cross-Site
Scripting attacks. After previous article, published at 12.11.2008, I
continued researches and found, that much more flash files - millions flash
files - were vulnerable to XSS attacks. As flash files in different global
and local banner systems, as flash files at individual sites.

Table of contents:

1. Vulnerable ActionScript code.
2. Prevalence of the problem.
3. Nuances of work in different browsers.
4. Examples of vulnerable flash files.
5. Protection of flash files against XSS attacks.

Some important quotes:

Vulnerability exists in ActionScript code for counting of clicks in flash
banners.

In total it’s about 8010000 (more than 8 millions) flash files which are
potentially vulnerable to XSS attacks.

I.e. another 34 millions flashes which are potentially vulnerable to XSS
attacks :-). Add 34 millions to 8 millions and result 42 millions of
vulnerable flash files!

You can read the article XSS vulnerabilities in 8 millions flash files at my
site: http://websecurity.com.ua/3789/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/