Uploaded image for project: 'Fluid Infusion'
  1. Fluid Infusion
  2. FLUID-5354

SWFUpload, used by the Uploader, is vulnerable to cross-site scripting (XSS) attacks

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 1.0, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.2beta1, 1.2, 1.2.1, 1.3, 1.3.1, 1.4
    • 1.5
    • Uploader
    • None

    Description

      jobara and I were discussing FLUID-5353 in the channel, and I made the mistake of going looking for new updates to SWFUpload. What I found was that SWFUpload suffers from a cross-site scripting vulnerability. The maintainer has not bothered to fix it.

      https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

      Years ago, I investigated alternatives to SWFUpload but determined that it was a substantial amount of work to replace it. We need to take this issue seriously. Post-1.5, the plan was to remove support for "legacy" browsers (those that aren't the latest versions of IE, Chrome, Firefox, and Safari). This would include removing the Flash back-end for the Uploader.

      Given the nature of this issue, I think we should remove SWFUpload and the Flash strategy for the Uploader immediately.

      Attachments

        Issue Links

          Activity

            People

              colin Colin Clark
              colin Colin Clark
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: