SWFUpload, used by the Uploader, is vulnerable to cross-site scripting (XSS) attacks

Description

and I were discussing in the channel, and I made the mistake of going looking for new updates to SWFUpload. What I found was that SWFUpload suffers from a cross-site scripting vulnerability. The maintainer has not bothered to fix it.

https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

Years ago, I investigated alternatives to SWFUpload but determined that it was a substantial amount of work to replace it. We need to take this issue seriously. Post-1.5, the plan was to remove support for "legacy" browsers (those that aren't the latest versions of IE, Chrome, Firefox, and Safari). This would include removing the Flash back-end for the Uploader.

Given the nature of this issue, I think we should remove SWFUpload and the Flash strategy for the Uploader immediately.

Environment

None

Activity

Show:

Michelle D'Souza May 22, 2014 at 5:49 PM

Merged at 7ad02491a7faa7f9f2125ed2fb1efbee07b93faa

Justin Obara May 13, 2014 at 4:48 PM

Submitted a pull request to remove flash support
https://github.com/fluid-project/infusion/pull/518

Justin Obara May 1, 2014 at 1:42 PM

This makes sense. I think we should include a note in the README or release notes about this.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Colin Clark

Reporter

Components

Fix versions

Priority

Created May 1, 2014 at 1:39 PM
Updated May 22, 2014 at 6:20 PM
Resolved May 22, 2014 at 5:49 PM
Loading...