Security issue with SWFUpload: XSS via ExternalInterface.call
107 views
Skip to first unread message
Marc Laporte
Jul 7, 2012, 4:44:12 PM7/7/12
to swfu...@googlegroups.com
It's been posted here:
http://code.google.com/p/swfupload/issues/detail?id=376
Which links to: https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
And in the comments:
"In this case, both the SWFUpload and Plupload developers were notified of the issue. The Plupload developers patched their code and released a new version. The SWFUpload developers never replied. SWFUpload hasn’t had a commit since early 2010. As far as I can tell, nobody is maintaining it but the applet is still used all over the place. So I told the WordPress developers, let them release a patched version, and then disclosed details of the issue so that people would know they were at risk."
How to get commit access?
Thanks!
M ;-)
http://code.google.com/p/swfupload/issues/detail?id=376
Which links to: https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
And in the comments:
"In this case, both the SWFUpload and Plupload developers were notified of the issue. The Plupload developers patched their code and released a new version. The SWFUpload developers never replied. SWFUpload hasn’t had a commit since early 2010. As far as I can tell, nobody is maintaining it but the applet is still used all over the place. So I told the WordPress developers, let them release a patched version, and then disclosed details of the issue so that people would know they were at risk."
How to get commit access?
Thanks!
M ;-)
Marc Laporte
Jul 7, 2012, 5:28:43 PM7/7/12
to swfu...@googlegroups.com
WordPress released a patch:
http://core.trac.wordpress.org/browser/trunk/wp-includes/js/swfupload
http://core.trac.wordpress.org/browser/branches/3.4/wp-includes/js/swfupload
M ;-)
--
M ;-)
Marc Laporte
http://marclaporte.com
http://avantech.net
http://tiki.org
http://core.trac.wordpress.org/browser/trunk/wp-includes/js/swfupload
http://core.trac.wordpress.org/browser/branches/3.4/wp-includes/js/swfupload
M ;-)
M ;-)
Marc Laporte
http://marclaporte.com
http://avantech.net
http://tiki.org
Reply all
Reply to author
Forward
0 new messages