lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <00c301ca8311$fd31c320$010000c0@ml> Date: Tue, 22 Dec 2009 16:19:48 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <full-disclosure@...ts.grok.org.uk> Subject: XSS vulnerabilities in 8 millions flash files Hello participants of Full-Disclosure. Recently, 18th of December 2009, I wrote the article XSS vulnerabilities in 8 millions flash files (http://websecurity.com.ua/3781/), and yesterday I wrote English version of it (http://websecurity.com.ua/3789/). I’ll continue a topic, which I started in 2008 in my article XSS vulnerabilities in 215000 flash files (http://www.webappsec.org/lists/websecurity/archive/2008-11/msg00110.html). That time I found hundreds of thousands flash files vulnerable to Cross-Site Scripting attacks. After previous article, published at 12.11.2008, I continued researches and found, that much more flash files - millions flash files - were vulnerable to XSS attacks. As flash files in different global and local banner systems, as flash files at individual sites. Table of contents: 1. Vulnerable ActionScript code. 2. Prevalence of the problem. 3. Nuances of work in different browsers. 4. Examples of vulnerable flash files. 5. Protection of flash files against XSS attacks. Some important quotes: Vulnerability exists in ActionScript code for counting of clicks in flash banners. In total it’s about 8010000 (more than 8 millions) flash files which are potentially vulnerable to XSS attacks. I.e. another 34 millions flashes which are potentially vulnerable to XSS attacks :-). Add 34 millions to 8 millions and result 42 millions of vulnerable flash files! You can read the article XSS vulnerabilities in 8 millions flash files at my site: http://websecurity.com.ua/3789/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists