Uploaded image for project: 'Fluid Infusion'
  1. Fluid Infusion
  2. FLUID-5354

SWFUpload, used by the Uploader, is vulnerable to cross-site scripting (XSS) attacks

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.0, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.2beta1, 1.2, 1.2.1, 1.3, 1.3.1, 1.4
    • Fix Version/s: 1.5
    • Component/s: Uploader
    • Labels:
      None

      Description

      Justin Obara and I were discussing FLUID-5353 in the channel, and I made the mistake of going looking for new updates to SWFUpload. What I found was that SWFUpload suffers from a cross-site scripting vulnerability. The maintainer has not bothered to fix it.

      https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

      Years ago, I investigated alternatives to SWFUpload but determined that it was a substantial amount of work to replace it. We need to take this issue seriously. Post-1.5, the plan was to remove support for "legacy" browsers (those that aren't the latest versions of IE, Chrome, Firefox, and Safari). This would include removing the Flash back-end for the Uploader.

      Given the nature of this issue, I think we should remove SWFUpload and the Flash strategy for the Uploader immediately.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                colin Colin Clark
                Reporter:
                colin Colin Clark
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: