SWFUpload XSS vulnerability
Clark, Colin
cclark at ocadu.ca
Thu May 1 13:46:21 UTC 2014
Hi everyone,
I have discovered that SWFUpload, the Flash-based backend that we use for the Uploader on legacy (i.e. old Internet Explorer) browsers, has an unpatched cross-site scripting vulnerability. I’ve filed a JIRA ticket about this issue here:
http://issues.fluidproject.org/browse/FLUID-5354
SWFUpload has, sadly, always represented some of the worst and most brittle code we’ve encountered. Replacing it is costly, and time are changing. Our plan for post-1.5 has been to drop support for legacy (i.e. non latest version) browsers. This would have involved removing Flash support in the Uploader anyway.
Given the severity of this issue, I am proposing that we go ahead and drop Flash support from the Uploader in the Infusion 1.5 release. On legacy browsers such as IE 8 and 9, the simple file uploader will be delivered instead. Modern browsers will get the feature-rich HTML5 version.
Colin
---
Colin Clark
Lead Software Architect,
Inclusive Design Research Centre, OCAD University
http://inclusivedesign.ca
More information about the fluid-work
mailing list