0x00

Monday, August 3, 2015

One payload to XSS them all !

Hi ,

Today I want to share my find in 2013 which is XSS in flash file was used in many websites (famous websites !).
the flash file was called sIFR (Scalable_Inman_Flash_Replacement)

Q: How I found it ?

A: Till today I was thinking that I am the first one who reported this issue in fact it is an old bug
That have CVE (Read more)

So let's talk about what I found , I was looking for bug in Adobe my exploire get me to

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=

 The (txt) was get simple text
 The (textcolor) was get a HTML color code 

I change (ADOBE PHOTOSHOP CS3) to XSS 

the page Show XSS  and when I make the payload 

Immm good the txt parameter show our text let's do HTML things .


http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>

It is work !!! and I found XSS on Adobe . But I notice something in URL

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=
 It is look like path of file in (www.adobe.com) ,so I deleted the (wwwimages.adobe.com/) from URL 

and go to :


https://www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>





Xss show in the page I click on it and booom !


Please bear with me that I inject my name in code it was my start at bug bounty hhhhh :) .

So it was very good

Now I was think that (sIFR2.0.2) is Adobe product that I can found in other website

I make Dork to find others

there were too many website wait the surprise it was big one

Visa,AMEX,Blackberry,Stanford,Haravrd,and many Gov sites

Here is a samples :






































The PoC video : 


There are many others websites vulnerable .

Thanks for read .


Useful links : 
1-http://news.softpedia.com/news/sIFR-Vulnerability-Impacts-Adobe-BlackBerry-Visa-Amazon-and-Other-Sites-Video-427053.shtml
2-https://en.wikipedia.org/wiki/Scalable_Inman_Flash_Replacement
3-http://www.hackbusters.com/news/stories/18150-sifr-vulnerability-impacts-adobe-blackberry-visa-amazon-and-other-sites-video
4-http://www.youtube.com/watch?v=7WeIeJ_YYOQ

2 comments: