TechSmith Camtasia 7 / 8 Cross Site Scripting

Risk: Low
Local: No
Remote: Yes

Title: Reflected XSS in Flash files of TechSmith Camtasia 8 & 7 Author: Soroush Dalili (@irsdl) Affected Software: TechSmith Camtasia v8.4.4 (latest 8.x) & v7.1.1 (latest 7.x) Vendor URL: Vendor Status: vulnerable CVE-ID: - Camtasia 8 (v8.4.4 (latest 8.x) - vulnerable): ============================================== TechSmith Camtasia is a screen recorder and video editor. After version 8, it does not create SWF files that contain the video file. Instead, it creates a MP4 file with HTML5 and SWF players. However, SWF Player in version 8.4.3 (latest version at the time of testing) was vulnerable to a reflected XSS attack. After producing a Flash/HTML5 output, Camtasia creates the following flash file: ProjectName_controller.swf This file is vulnerable to Open Redirect and XSS by loading a config file that redirects the browser to an arbitrary destination after playing a video. The destination URL can be attacker's URL (such as "//") or a JavaScript that uses "javascript:" protocol. The following shows a PoC code: ProjectName_controller.swf?src= /small.mp4&xmp=// This file can be found in any website that uses Camtasia projects for instance website: Camtasia 7 (v7.1.1 (latest 7.x) - vulnerable): ============================================== An XSS issue was resolved previously in generated Flash files of Camtasia 7 ( TechSmith had patched this vulnerability by implementing the "safeDomainCheck" function that checks whether the domain is allowed or not in order to load the config file. However, this protection can be bypassed by using "//" instead of "http://" or "https://". PoC code is as follows: ProjectName_controller.swf?csConfigFile=// /camtasia_v7.xml&.swf Solution: ========= Upgrade from Camtasia version 7 to 8. Use Camtasia HTML5 player instead of the Flash player in Camtasia v8 and remove the old Flash files from affected websites. Disclosure Timeline: ==================== 04-Nov-2014 ? discovered 11-Nov-2014 ? reported 14-Nov-2014 ? initial acknowledge of receiving the issue from the vendor 17-Nov-2014 ? the vendor confirmed that they know about these issues and they do not have any ETA to patch the issue 18-Nov-2014 - the vendor confirmed that this issue can be publicly disclosed 07-Jan-2014 - the vendor also confirmed that this issue can be reported to the security mail lists (double confirmation)! Credit: ======= Vulnerability found by Soroush Dalili (@irsdl)

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top