16th Apr 2003 [SBWID-6163]
COMMAND
	Macromedia Flash ad user tracking field xss and session retrieval
SYSTEMS AFFECTED
PROBLEM
	Scan Security Wire [http://www.scan-web.com] reported:
	"Over 497 million Internet users now  use  Macromedia  Flash  Player  to
	seamlessly view content created with Macromedia Flash, the solution  for
	developing rich Internet content and applications."
	A vulnerability discovered in Macromedia Flash ad  user  tracking  field
	allows  a  remote  user  to  perform  Cross-Site-Scripting  attacks  and
	retrieve session information.
	 Details
	 =======
	About the 'clickTAG' option:
	Macromedia flash supplies user-tracking  field  to  swf  (flash  movies)
	ads: "The clickTAG is the tracking  code  assigned  by  the  ad  serving
	network to  an  individual  ad.  The  clickTAG  allows  the  network  to
	register where the ad was displayed when it was clicked on.  This  click
	through data is reported to the ad serving servers  so  advertisers  may
	determine the effectiveness of their campaign.
	The code below will allow ad serving networks to  dynamically  assign  a
	clickTAG to their ad.
	In this example, a getURL action is being  assigned  to  a  button  that
	will  navigate  the  browser  to  ["clickTAG"].  The  "getURL(clickTAG)"
	statement appends the variable data passed in via the OBJECT  EMBED  tag
	and navigates the browser to that location.  It  is  the  tracking  code
	assigned by the ad serving network, which  allows  them  to  register  a
	user's click on that advertisement.
	
	<EMBED src="ad_banner_example.swf?clickTAG= http://adnetwork.com/tracking?http://www.destinationURL.com" > ..."
	
	The information was taken from Macromedia designer's guide:
	
	http://www.macromedia.com/resources/richmedia/tracking/designers_guide/ 
	
	Vulnerability details =====================
	Vulnerability in the  clickTAG  field  enables  a  remote  user  to  run
	malicious javascript code in the context of the  remote  web  site,  and
	therefore retrieve session  information  and  possibly  other  sensitive
	information. For example in the following script:
	
	http://www.example.com/victim.swf?clickTag=XXXX
	("XXXX" = arbitrary script or tag)
	
	Replacing "XXXX" with a script to steal cookies will enable an  attacker
	to perform session hijacking if the session is saved in the  cookie,  or
	to gain the private information present in ad tracking cookies.
SOLUTION
	 Workaround
	 ==========
	To prevent session-hijacking, it is recommended to configure  the  flash
	ads  to  run  on  a  separate  sub-domain.  This  will  prevent  session
	hijacking, although it will not prevent privacy leaks pertaining to  the
	advertising cookie.
	 Solution
	 ========
	"A new player version is NOT required. Macromedia  Flash  advertisements
	that accept clickTAGs need to validate  that  the  clickTAG  URL  begins
	with "http:". This helps ensure the clickTAG does not contain  malicious
	code." Quote from the official Macromedia security advisory.
	We recommend that all user input should be filtered for  malicious  code
	and characters and never trusted "as-is".
	Macromedia has also revised the Designer's Guide and added this note:
	"Note: The ActionScript in this Flash advertisement  is  verifying  that
	the clickTAG URL begins with "http:".  This  is  an  important  security
	measure. If you do not take  this  precaution,  a  malicious  HTML  page
	could source  your  SWF  and  pass  a  clickTAG  URL  that  begins  with
	"javascript:"   or   another   scripting   pseudo-protocol.   If    your
	ActionScript code  were  to  call  getURL  with  a  maliciously  crafted
	JavaScript URL, it would be possible for the site serving the  malicious
	HTML page to obtain the contents of your HTTP cookies or  perform  other
	actions on your site's behalf."