[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FlashCanvas 1.5 proxy.php XSS Vulnerability
Title: FlashCanvas proxy.php XSS Vulnerability
Date published: 11 December 2013
Script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ?url? GET parameter and rendering it.
FlashCanvas 1.5 and possibly older.
FlashCanvas is also used in other software frameworks such as WebShims, therefore the affected software maybe wider.
Description of Issue
The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ?url? GET parameter and rendering it. This leads to some interesting possibilities, the one proved being cross-site scripting.
More technical detail can be found here:
We would recommend updating to version 1.6 http://flashcanvas.net/release/1.6