swfupload XSS vulnerability

Permalink
Hi

I recently had one of my concrete5 installations penetration tested and the result flagged up a potential problem with the swfupload.swf and vulnerability with XSS - we upgraded to 5.6.3.3 but still the problem is there. Does any one have any advice on how to prevent this?

I don't want put the exact URL in that was used but the vulnerability was acheive by passing in some URL parameters to the swf via the browser which is a little worrying.

View Replies:
terryoleary replied on at Permalink Reply
After reading thishttp://seclists.org/fulldisclosure/2013/Mar/110...

I decided to swap the swfuploader using this versionhttps://github.com/WordPress/secure-swfupload/tree/master/core/Flash...

this seems to have help and the code that was executing can no longer and the uploading still seems to function for the file manager