FLUID-5354: SWFUpload, used by the Uploader, is vulnerable to cross-site scripting (XSS) attacks

Metadata

Source
FLUID-5354
Type
Bug
Priority
Blocker
Status
Closed
Resolution
Fixed
Assignee
Colin Clark
Reporter
Colin Clark
Created
2014-05-01T09:39:33.059-0400
Updated
2014-05-22T14:20:34.779-0400
Versions
  1. 1.0
  2. 1.1
  3. 1.1.1
  4. 1.1.2
  5. 1.1.3
  6. 1.2beta1
  7. 1.2
  8. 1.2.1
  9. 1.3
  10. 1.3.1
  11. 1.4
Fixed Versions
  1. 1.5
Component
  1. Uploader

Description

@@Justin Obara and I were discussing FLUID-5353 in the channel, and I made the mistake of going looking for new updates to SWFUpload. What I found was that SWFUpload suffers from a cross-site scripting vulnerability. The maintainer has not bothered to fix it.

https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

Years ago, I investigated alternatives to SWFUpload but determined that it was a substantial amount of work to replace it. We need to take this issue seriously. Post-1.5, the plan was to remove support for "legacy" browsers (those that aren't the latest versions of IE, Chrome, Firefox, and Safari). This would include removing the Flash back-end for the Uploader.

Given the nature of this issue, I think we should remove SWFUpload and the Flash strategy for the Uploader immediately.

Comments

  • Justin Obara commented 2014-05-01T09:42:04.455-0400

    This makes sense. I think we should include a note in the README or release notes about this.

  • Justin Obara commented 2014-05-13T12:48:20.822-0400

    Submitted a pull request to remove flash support
    https://github.com/fluid-project/infusion/pull/518

  • Michelle D'Souza commented 2014-05-22T13:49:25.827-0400

    Merged at 7ad02491a7faa7f9f2125ed2fb1efbee07b93faa