swfupload XSS vulnerability
Permalink
Hi
I recently had one of my concrete5 installations penetration tested and the result flagged up a potential problem with the swfupload.swf and vulnerability with XSS - we upgraded to 5.6.3.3 but still the problem is there. Does any one have any advice on how to prevent this?
I don't want put the exact URL in that was used but the vulnerability was acheive by passing in some URL parameters to the swf via the browser which is a little worrying.
I recently had one of my concrete5 installations penetration tested and the result flagged up a potential problem with the swfupload.swf and vulnerability with XSS - we upgraded to 5.6.3.3 but still the problem is there. Does any one have any advice on how to prevent this?
I don't want put the exact URL in that was used but the vulnerability was acheive by passing in some URL parameters to the swf via the browser which is a little worrying.
I decided to swap the swfuploader using this versionhttps://github.com/WordPress/secure-swfupload/tree/master/core/Flash...
this seems to have help and the code that was executing can no longer and the uploading still seems to function for the file manager