Calendar

June 2008
M T W T F S S
« May   Jul »
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Tag Cloud

Categories

Archives

Highest Rated

Most Viewed

Recent Posts

Recent Comments


« Adobe AIR 1.1 now in the wild | Main | Top 10 AIR apps worth Installing »

Flex 3 HistoryManager Exploit?

By Rich Tretola | June 18, 2008Print This Post Print This Post
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 1 out of 5)
Loading ... Loading ...
426 views

I was just reading this article this morning about an exploit in the historyFrame.html file of the Flex 3.01 SDK.
The article states that Flex 3.01 SDK contains this vulnerability and that the issue was fixed with the Flex 3.02 build. I downloaded build 3.0.2.2095 dated June 17, 2008 and compared the historyFrame.html and history.js files with my 3.0.0 and 3.0.1.1739 builds and saw no differences.

UPDATED: I just downloaded a special fix zip file which includes a new historyFrame.html file which does have the patch.

Here is the original Flex 3.0.1 historyFrame.html file:

  1. <html>
  2.     <head>
  3.         <meta HTTP-EQUIV="Pragma" CONTENT="no-cache">
  4.         <meta HTTP-EQUIV="Expires" CONTENT="-1">
  5.     </head>
  6.     <body>
  7.     <script>
  8.         function processUrl()
  9.         {
  10.  
  11.             var pos = url.indexOf("?");
  12.             url = pos != -1 ? url.substr(pos + 1) : "";
  13.             if (!parent._ie_firstload) {
  14.                 parent.BrowserHistory.setBrowserURL(url);
  15.                 try {
  16.                     parent.BrowserHistory.browserURLChange(url);
  17.                 } catch(e) { }
  18.             } else {
  19.                 parent._ie_firstload = false;
  20.             }
  21.         }
  22.  
  23.         var url = document.location.href;
  24.         processUrl();
  25.         document.write(url);
  26.     </script>
  27.     Hidden frame for Browser History support.
  28.     </body>
  29. </html>

Here is the updated historyFrame.html file:

  1. <html>
  2.     <head>
  3.         <meta HTTP-EQUIV="Pragma" CONTENT="no-cache">
  4.         <meta HTTP-EQUIV="Expires" CONTENT="-1">
  5.     </head>
  6.     <body>
  7.     <script>
  8.         function processUrl()
  9.         {
  10.  
  11.             var pos = url.indexOf("?");
  12.             url = pos != -1 ? url.substr(pos + 1) : "";
  13.             if (!parent._ie_firstload) {
  14.                 parent.BrowserHistory.setBrowserURL(url);
  15.                 try {
  16.                     parent.BrowserHistory.browserURLChange(url);
  17.                 } catch(e) { }
  18.             } else {
  19.                 parent._ie_firstload = false;
  20.             }
  21.         }
  22.  
  23.         var url = document.location.href;
  24.         processUrl();
  25.         document.write(encodeURIComponent(url));
  26.     </script>
  27.     Hidden frame for Browser History support.
  28.     </body>
  29. </html>

The difference is that on line 25 the url is now encoded with encodeURIComponent.

Share/Save/Bookmark

Topics: Flex, Flex 3 (Moxie) |

2 Responses to “Flex 3 HistoryManager Exploit?”

  1. Matt Chotin Says:
    June 18th, 2008 at 11:41 am

    The 3.0.2.2113 build does have the fix in it.

    [Reply to this comment]
  2. everythingflex Says:
    June 18th, 2008 at 1:07 pm

    Ah, thanks Matt, I grabbed the nightly dated June 17th rather than the stable with the same date.

    [Reply to this comment]

Comments