On June, I wanted to catch and play with some Flash related xss vulnerabilities. Because there was a lot of them, but I didn’t get one till today. So, began to search some flash files (with SWF extension) with parameters on google and found a link at Cisco.com main domain under their e-learning system. So, went through it.
SWF file seemed to be reading the data from an XML file, I tried to get the XML file named “ttpsm” specified in the URL to see what is inside and after using some paths I successfully got it.
Tried to understand the treatment, then played with the source. Found the Topics title which you see in the screenshot above, changed and marked it to “CLICK HERE TO XSS”, made it a link as follows;
Uploaded the edited XML file to my own domain and changed the Cisco’s xmlpath parameter to point my new file as:
My text was there and I just desired it to work, so clicked the link.
Bingo! It was working.
This is also NOT ONLY XSS related vulnerability, It could be much harmful. How?
Think that, attacker adds a link to malicious executable file inside the XML file (which will be shown on Downloads section), so users will trust to Cisco.com and download the file. Then Game Over!
Vulnerability reported to Cisco on 03.06.2016, but their communication was very weak than I expected. I think they have a lot of things to do! Because after receiving that they got the info and they said we will fix this, I couldn’t get any response again. Sent several emails but no chance. They also offered nothing as reward nor hall of fame. Swag at least? :) Nevermind. Just respect people, who report you vulnerabilities for free.
Thanks for reading.