Cross Site Scripting Issue

[Ambica]

We are using Fusion charts in our application and there has been a security vulenerability issue detected with the usage. The details are below. This needs a modification to the flash code in the fusion charts .sla file. Please let us know if this issue has been addressed in a recent version of this software or can be taken up for an enhancement now.

 

Located in: Charts/MSLine.swf

 

The issue with this vulnerability is that the dataURL variable can be changed to point to an external xml file because the value is not hard coded or limited to trusted sources.

This was tested in Firefox v3.6.12 and Chrome 15.0.874.121

 

 

Description

Force browse is capable on every Fusion Chart. Vulnerability proof of concept for cross site scripting will be found by clicking on one of the green line points. Javascript pop up is executed once line point is clicked.

 

 

 

Cross-site Scripting (XSS) is an attack technique where malicious code is executed in the user's browser delivered through the victimized website that allows an attacker to gain control over the content of the application.

 

 

 

 

Solution

Flash code needs to hard code or not accept third party URL's.

 

 

 

XSS is introduced into the application through untrusted user input. Most XSS threats can be avoided by: (1) Limiting both where and how untrustworthy input is used; and (2) ensuring that all user input is strongly validated and contextually encoded.

 

 

 

 

 

Use positive whitelist validation for all user input. For example, use built-in optimized platform-specific parsers (e.g., Integer.parseInt()) or regular expressions). Be aware that regular expressions are CPU intensive, and that they can be used by attackers to tie up system resources in a denial-of-service attack.

 

 

 

 

 

If the application's framework supports casting, then ensure that all types (booleans, integers, floats, etc.) are cast. For rich input validation, an HTML policy engine, such as AntiSamy, must be used to ensure that the rich input does not contain spoofed content or XSS.

 

 

 

 

 

<P class=reportStandardText>Encoding must be done contextually, making note of the following contexts:

• String: validate and encode based on context
• CSS: validate and remove "expression" call, plus XSS HEX encode
• HTML Body: HTML Entity encode
• HTML Attribute: Aggressive HTML Entity Encoding, even encoding spaces
• URL Attribute: Validate that the URL is legal and only contains safe protocols (and that the URL is specifically NOT a javascript:// url); then attribute encode
• JavaScript: JS Output encode and ensure certain functions like eval() or setTimeout() are not used.

[Ambica]

The version of fusion chart we are using is 3.2.2

[Guest Sumedh]

Hi Ambica,

 

This has been already identified as an issue.

 

We will update you on this, shortly.

 

Thanks for your time and support.

[Ambica]

Thank you for the response. However, could you please let me know if there is an open ticket or release related to this issue in Fusion Charts? We would like to reference it to our IT security team. Please let us know as soon as possible. Thank you.

 

 

 

 

Hi Ambica,

 

This has been already identified as an issue.

 

We will update you on this, shortly.

 

Thanks for your time and support.

[Guest Sumedh]

Hi,

 

We are working on this issue and we are unable to provide any timeline on this.

 

Thank you for your time and support.

[fusion_freak_]

I'm facing same issue, how can i overcome this

 

 

Hi,

 

We are working on this issue and we are unable to provide any timeline on this.

 

Thank you for your time and support.

[Sanjukta]

Hi All,

 

Please note that currently, in the existing Flash chart framework, a number of configurations (like pre-init and other chart messages, settings for debug mode along with data-sources) are passed via querystring to the chart. Security can be implemented by blocking the way of passing of chart message and data-source configurations via querystring to the Flash charts.

 

While it is possible, this action might delay the chart rendering life-cycle specially when rendering a Flash chart, using HTML Embedding method and not using JavaScript. Again this would also require quite a number of architectural changes both in Flash and JavaScript to give the same seamless rendering of charts, as they render now.

 

Hence, it would consume a considerable amount of time and effort to analyze the impact of the change on all other customers and finally implement it in our product.

 

However, we are always eager to help you out with other alternatives. In this scenario, we would like request you to use JavaScript charts, if possible. JavaScript charts would not post any of these security threats.

 

Hence, converting your charts to JavaScript is fairly easy and does not involve much of effort from your side, by just adding the following line of code:

FusionCharts.setCurrentRenderer('javascript');

Ref.- http://docs.fusioncharts.com/charts/contents/?FirstChart/UsingPureJS.html#force

 

Hope this helps.

[adriel.diaz.doubledigit]

Hi, I wonder if there's any updates about this issue ?

[Gagan Sikri]

Hi

 

This issue is already logged internally and passed on to respective team. It will be taken up soon.

 

We will notify you about the same.

[Tina]

Hi

My company is using the Fusionchart and After App Vulnerability Scan, We 've found the issue with "DOM Based Cross-Site Scripting" in fusionchart.js.

Can you support to prevent "DOM Based Cross-Site Scripting"?

Regards,

Tina