XSS vulnerability in recorder.swf

[Miladbr]

Vulnerable Code:

public function ready(width:int, height:int):void {
      ExternalInterface.call(this.eventHandler, RecorderJSInterface.READY, width, height);
      if (!this.recorder.mic.isMuted()) {
        onMicrophoneStatus(new StatusEvent(StatusEvent.STATUS, false, false, "Microphone.Unmuted", "status"));
      }

}
Poc: recorder.swf?event_handler=alert(document.domain)

[michalstocki]

Thanks for attention. As I understand the only possible attack scenario is to include malicious code while embedding recorder swf. For embedding swf, hacker needs access to put <object> tag into website source. To put this kind of tags he needs full access to HTML source of the site; He could easier put malicious code by including <script> tag. The recorder don't give him any additional chance to attack.
Correct me if I'm wrong.

However I'd like to fix this "bug". My idea is to validate string given as "eventHandler" to allow only names of function.
Poc:

var requirement:RegExp = /\A\w+\z/;
if (requirement.test(eventHandler)) {
  recorderInterface.eventHandler = eventHandler;
}

[michalstocki]

@Miladbr I'll be grateful for your feedback.

[Miladbr]

Hmm, Actually there is no difference between usual XSS and Flash based XSS. Consider that recorder.swf is hosted in xyz.com, when someone (silently by a hidden iframe) open "http://xyz.com/recorder.swf?event_handler=malicious_JavaScript_here" JavaScript will be executed in context of xyz.com.

[michalstocki]

I'm merging pull request mentioned above (pull request #25) as temporary patch. In next release we'll include complete solution, which break backward compatibility. Flash will expect specific JavaScript function to be defined in global context e.g. fwr_event_handler.