GetURL Issues
From FlashSec
The getURL function has a relatively unknown (or misunderstood) optional third argument which the documentation calls variables.
As this argument can be only "GET" or "POST", it has lead some people to assume that it simply specifies what type of HTTP request to send, but according to the documentation variables is:
A GET or POST method for sending variables. If there are no variables, omit this parameter. The GET method appends the variables to the end of the URL, and is used for small numbers of variables. The POST method sends the variables in a separate HTTP header and is used for sending long strings of variables.
This is an issue in any SWF files which were written using ActionScript 2, since it is possible to overwrite global variables by simply appending them to the query string of the request for the flash file, and these variables are appended onto the end of any request which sets the third parameter to "GET".
Since Flash does not check whether the variables it is appending already exist in the query string, but merely attaches the global variables onto the end of the query, it is possible for an attacker to influence the GET data the target URL receives, since most languages simply accept the last version of an argument on a query string as being the one to use, i.e. in a request for this URL:
http://www.site.com/search.php?q=1&q=2
The value of $_GET['q'] would be 2.
And while this is unlikely to have any particularly serious consequences, when other URIs, such as javascript: or data: are used, the effects of appending attacker controlled data can be much higher.
In a recent example a Flash file which was compiled from the following source:
getURL("javascript:alert('XSS')", "_self", "GET"); stop();
Was vulnerable to an XSS attack, since the query string separator, the question mark (?), is also a ternary operator in javascript, the attackers were able to force the flash file to send the victim to a URL which looked like this:
javascript:alert('XSS')?a=0:0;a/**/setter=eval;b/**/setter=atob;a=b=name;
Which is valid javascript, which extracts the payload from the window.name property, base64 decode's it, and executes it.