Below, you’ll find my finding in regard to FusionCharts Vulnerabilities:
A) I found that it was possible for an attacker to execute an XSS attack by loading an external XML File through the dataURL Parameter.
For example (Click the Graph for XSS PoC):
When the victim clicks on the malicious graph, the XSS Payload runs on their client.
B) An attacker can carry out a redirection attack (New Tab) in Firefox. This is achievable through the use of the LogoURL Parameter.
This parameter effectively permits the attacker to load an external swf file. To successfully perform a redirection attack, the attacker must use the req.send function in ActionScript and then use the malicious swf file.
(req.send(“http://nirgoldshlager.com”, “_blank”, “GET”);),
Cross Domain Policy file:
What about the anti-XSS Regex Action Script?
We’re all familiar with the old debugmode=1 Bug in FusionChart, correct?
I have taken an extensive look into FusionChart’s Action Script and I’ve found that they do not have adequate measures in place to block a cross site scripting attack using regex to match dangerous XSS attempts.
It’s also possible to use data:text/html to bypass it or mocha and livescript for the older version in Netscape.
The correct solution might look like:
As discovered by security researcher “Ben Hayak”(@benhayak)
A new parameter (defaultDataFile) has been shown to have some vulnerabilities to the new XSS Attack. This parameter can be used in the event that the DataURL parameter is either protected or blocked.
var _defaultDataFile = unescape(getFirstValue(rootAttr.defaultdatafile, “Data.xml”));
This parameter can be used to execute an XSS attack.