Security Bulletin: SWF Vulnerability in YUI 2

By YUI TeamNovember 11th, 2013

Overview

An external source has notified us of a previously unknown security vulnerability in YUI 2 involving hosted uploader.swf files. This vulnerability impacts YUI 2 versions 2.5.0 through 2.9.0 and allows arbitrary JavaScript to be run by passing in a query string parameter such as this one:

uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//

This problem is not reproducible in YUI 3.

Resolution

If you are using or even merely hosting any YUI 2 .swf file, please take steps to remove these files immediately from your hosts.

YUI 2 is an end-of-lifed project and is no longer supported. All YUI 2 .swf files have been removed from the Yahoo CDN. If your site was taking advantage of the presence of these files on the Yahoo CDN they will no longer be available.

Additional Information

We recommend projects remove all Flash-based features unless they are prepared to devote proper resources and attention to addressing security issues.

Note that all Flash files have been already deprecated and removed from YUI 3. If you must use these features, you will need to compile and host your own .swf files using source from the yui3-swfs repo.

These details have been captured as well in a YUI Security Bulletin for future reference.

Special Thanks

A big thank you to @soiaxx who reported this to us.

2 Comments

  1. Was it really necessary to release the details of HOW to perform the attack? Previous security bulletins have not disclosed this information. I assume the details of the attack must already be common knowledge, but there is no need to put up a sign and advertise it.

  2. Andrew Wooldridge said:
    November 11, 2013 at 2:47 pm

    Hi Chris,
    In previous bulletins the files were patched to fix the vulnerability. In this instance, there is no patch, so this information is necessary for anyone seeking to correct it themselves.

Leave a Comment