Adobe Flash Player ActiveX control navigateToURL cross-site scripting (Flash_NavigateToURL_XSS)

About this signature or vulnerability

Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IPS, IBM Security Host Protection for Desktops, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Servers (Unix):

This signature detects a Shockwave-Flash (.swf) file using the navigateToURL actionScript function that appears to be navigating to a URL having the javascript: protocol.


False positives

Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IPS, IBM Security Host Protection for Desktops, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Servers (Unix): This is not necessarily a malicious action and blocking of traffic generating this event is appropriate only after a specific policy decision has been made.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IDS: XPU 28.020, Proventia-G 1.1 and earlier: XPU 28.020, Proventia Network MFS: XPU 28.020, Proventia Network IPS: XPU 28.020, IBM Security Host Protection for Desktops: 2160, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.020, IBM Security Host Protection for Servers (Windows): 1.0.914.2160, IBM Security Host Protection for Servers (Windows): 2.0.252.2160, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, RealSecure Server Sensor: XPU 28.020, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

Microsoft Internet Explorer, Gentoo Linux, SUSE SuSE Linux: 9.0, Novell Linux Desktop: 9, Sun Solaris: 10 SPARC, Sun Solaris: 10 x86, RedHat RHEL Extras: 3, RedHat RHEL Extras: 4, Turbolinux Turbolinux: FUJI, Turbolinux Turbolinux: wizpy, Novell SUSE Linux Enterprise Desktop: 10 SP1, Adobe Connect Enterprise Server: 6, RedHat RHEL Desktop Supplementary: 5 Client, RedHat RHEL Supplementary: 5 Server, RedHat RHEL Supplementary: 5.1.z EUS, RedHat RHEL Extras: 4.5.z, RedHat RHEL Extras: 4.6.z, Adobe Flash Player ActiveX control, Adobe Contribute: CS3, Adobe Contribute: 4, Adobe Dreamweaver: 8.0, Adobe Dreamweaver: 9.0, Novell OpenSUSE: 10.2, Novell OpenSUSE: 10.3, Sun OpenSolaris: 2008.5 x86, Sun OpenSolaris: 2008.5 SPARC

Type

Suspicious Activity

Vulnerability description

An HTTP request containing embedded <script> tags has been detected, which may indicate a cross-site scripting attempt against a Web server or Web application.

How to remove this vulnerability

This check is for informational purposes only.

Ensure that your personal firewall, operating system, and applications are up-to-date in order to minimize the threat of a system compromise.

References

APSB07-20
Flash Player update available to address security vulnerabilities
http://www.adobe.com/support/security/bulletins/apsb07-20.html

Full-Disclosure Mailing List, Wed, 19 Dec 2007 16:41:51 -0800
CVE-2007-6244: Adobe Flash Player ActiveX Control Universal Cross-Site Scripting Vulnerability
http://seclists.org/fulldisclosure/2007/Dec/0467.html

APSB08-01
Update to Dreamweaver and Contribute to address potential cross-site scripting vulnerabilities
http://www.adobe.com/support/security/bulletins/apsb08-01.html

APSB08-02
Update available for Adobe Connect Enterprise Server cross-site scripting issue
http://www.adobe.com/support/security/bulletins/apsb08-02.html

Sun Alert ID: 238305
Multiple Security Vulnerabilities in Flash Player for Solaris
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238305-1

NORTEL BULLETIN ID: 2008008954, Rev 1
Nortel Response to Sun Alert 238305 - Multiple Security Vulnerabilities in Flash Player for Solaris 10
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=745016

ISS X-Force
Adobe Flash Player ActiveX control navigateToURL cross-site scripting
http://www.iss.net/security_center/static/39131.php

CVE
CVE-2007-6244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6244