Flash-Based Open Redirect

Description

Adobe flash is quite popular before HTML5 came. After HTML5, it is very rarely used but still exist in older websites.

On December 31, 2020, Adobe Systems will officially stop updating and distributing Adobe Flash.

Flash File (.swf) can be used for displaying animated content, interactive content, Slide shows on the website. Sometimes, it can be used for advanced purposes like uploading the file.

Example

Wordpress CMS (Content management system) version 2.7 to 3.3.1 has vulnerable swfupload.swf file.

http://site.com/wp-includes/js/swfupload/swfupload.swf

Now, Attacker can add GET parameter as,

?debugEnabled=true?&buttonImageURL=https://attacker.com/malicious.swf

But, swfupload.swf is checking that if the user-provided any GET parameter, and if found, it gets removed. This was implemented as below,

for(key in params)
{
        if(query.hasOwnProperty(Utils.trim(key)))
    {
        delete params[key];
    }
}

But hackers found bypass to this. As above code is filtering ascii encoded strings, a = %61 b = %62 etc.

They just added invalid ASCII code %x in each key, so that it is not filtered out.

?debugEn%xabled=true?&buttonImag%xeURL=https://attacker.com/malicious.swf

And this was successfully redirected to the malicious SWF file.

Impact

An attacker can send a user to some malicious flash file.

Prevention

As the adobe stopped supporting Flash, Do not use other flash files, which may have vulnerabilities.

web vulnerabilities

Flash-Based Open Redirect

Description

Example

Impact

Prevention