XSS Vulnerabilities in Common Shockwave Flash Files


I'm not weird, I'm a limited edition.
Mar 5, 2002
Reaction score
Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).

This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.

Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.


The Fix

All of the measures below should be taken:

Update to the latest version of Flash as soon as possible, available here (Flash does, apparently, have an auto update mechanism but I have NEVER been prompted to update, so don't assume you have the latest version). This will protect users from attacks using the "asfunction" protocol handler

Website Owners

All vulnerabilities reported above have been fixed, so please:
  • Remove vulnerable SWFs from your website
  • Follow the manufacturers’ advice on republishing your SWFs

  • It is likely that other authoring tools that automatically generate SWFs can be used for XSS attacks. We highly recommend that website owners serve automatically generated SWFs from numbered IP addresses or from "safe" domains (i.e. domains that contain no sensitive cookies or domains that cannot be used for phishing)
  • Depending on the impact of XSS on a given website, website owners may want to even consider moving or removing all third-party generated SWFs


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question