Today, I want to share one of my findings from 2013, which is an XSS vulnerability in a Flash file used by many popular websites. The Flash file was called sIFR (Scalable Inman Flash Replacement).
How did I find it? Until today, I thought I was the first to report this issue. In fact, it is an old bug that has a CVE (read more). Let’s discuss what I found. As I was looking for a bug in Adobe, my browser directed me to:
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE%20PHOTOSHOP%20CS3&textcolor=
The txt parameter was simple text. The textcolor parameter accepted an HTML color code.I changed ADOBE PHOTOSHOP CS3 to XSS.
The page displayed XSS. I used the txt parameter to show our text, so I replaced it with an XSS payload:
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah')">xss</a>
It worked! Plust I noticed something in the URL. It looked like a file path in www.adobe.com, so I deleted the wwwimages.adobe.com/ from the URL and navigated to:
https://www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah')">xss</a>
I injected my name into the code, marking my beginning with bug bounty, a very good start actually. I thought that sIFR2.0.2 might be an Adobe product used on other websites, so I started searching for it elsewhere. I found it being used by major companies and government organizations, including Visa, AMEX, Blackberry, Stanford, Harvard, and more. Here are some examples:
The PoC video:
There are still many other vulnerable websites where this can be found.
Thank you for reading.