Security Bulletin: SWF Vulnerability in YUI 3.0.0 through 3.10.0 [do not post]

By YUI TeamMay 13, 2013

Overview

A security vulnerability has been recently discovered in several YUI .swf files. This vulnerability impacts all versions of YUI from YUI 3.0.0 through 3.10.0. Please read this bulletin carefully and take note of the instructions to remove this vulnerability from your own implementations.

Details

Aleksandr Dobkin and Sebastian Roschke of the Google Security Team recently found XSS vectors in .swf files used in the IO Utility and Uploader components. A carefully constructed URL accessing these .swf files directly could cause them to execute JavaScript in the context of the hosted .swf files and potentially expose cookies or other sensitive information from the hosted site.

The YUI team has taken steps to remove this vulnerability from our CDN, hosted .zip files, and npm packages by replacing the affected .swf files with patched ones that do not allow arbitrary strings to be passed in and executed in the manner that the vulnerability exposes.

Resolution

Delete the Files

If you are hosting these .swffiles but are not using them, simply delete the .swf files to resolve the vulnerability.

Use the Yahoo! CDN

If you load these assets from the Yahoo! CDN, we have already patched all vulnerable files, and no further action is necessary.

Replace the Vulnerable Files

If you host and use this functionality, refer to the table below for information on downloading replacements for the affected files. Make sure you scan all your hosts for all versions of these files.

Version Replacement File Old MD5 Patched MD5
3.0.0 io.swf 7f22020ec768608f2620681547e5cfbc c0aeb2d9ce51f404e792890578e2c71f
3.1.0 io.swf 528990efbd93fb7a9f7890a81ff94dd0 b846bd01ce0946ac023811f8f81a1783
3.1.1 io.swf 528990efbd93fb7a9f7890a81ff94dd0 b846bd01ce0946ac023811f8f81a1783
3.1.2 io.swf eb6777f7fa9048ef2347d8210787896f b846bd01ce0946ac023811f8f81a1783
3.2.0 io.swf c3491bb3c6863c5b05f5168adfd064d7 023ba0ef89ba692ddc472e24def72c60
3.2.0 uploader.swf 7efdb06c1b588ed4878d7f24b366fac4 f9bb520229719fd4f138918826ea0bbf
3.3.0 io.swf c3491bb3c6863c5b05f5168adfd064d7 023ba0ef89ba692ddc472e24def72c60
3.3.0 uploader.swf 7efdb06c1b588ed4878d7f24b366fac4 f9bb520229719fd4f138918826ea0bbf
3.4.0 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.4.0 uploader.swf 7efdb06c1b588ed4878d7f24b366fac4 f9bb520229719fd4f138918826ea0bbf
3.4.1 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.4.1 uploader.swf 7efdb06c1b588ed4878d7f24b366fac4 f9bb520229719fd4f138918826ea0bbf
3.5.0 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.5.0 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.5.0 flashuploader.swf e5d39fad451c70719dfda99f4ee39991 86c183e8ddd33b7012d033eaec52755d
3.5.1 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.5.1 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.5.1 flashuploader.swf e5d39fad451c70719dfda99f4ee39991 86c183e8ddd33b7012d033eaec52755d
3.6.0 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.6.0 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.6.0 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd
3.7.0 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.7.0 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.7.0 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd
3.7.1 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.7.1 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.7.1 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd
3.7.2 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.7.2 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.7.2 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd
3.7.3 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.7.3 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.7.3 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd
3.8.0 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.8.0 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.8.0 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd
3.8.1 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.8.1 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.8.1 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd
3.9.0 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.9.0 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.9.0 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd
3.9.1 io.swf 1e642bb8a5105dc429f8f3979ac559c4 ef4d5f86272e90e21a158882ecbd481b
3.9.1 uploader.swf aa54944e0e4293c9c4efc4201b107136 c566c5fec625f482ebfeb05f891657a9
3.9.1 flashuploader.swf b706cb01446002126f80c541a2fa62c0 6b214e93a4082ea689bcd23dbd34c4bd

Special Thanks

A big thank you to Aleksandr Dobkin and Sebastian Roschke of the Google Security Team who reported this to us.

Support

Our Security page has information about how to contact us regarding security-related issues.