Author Topic: flexpaper PDF viewer used on wikileaks.org presents security risk for users  (Read 11037 times)

0 Members and 4 Guests are viewing this topic.

Koyaanisqatsi

  • Guest
We have been made aware of a potential security risk with open source software Wikileaks is utilizing which uses a flash library to display PDF files in .swf format
The sofware being used is Flexpapervwhich uses non static flashvars which could result in cross site scripting attacks.

Flexpaper a opensource flash library to load PDF files https://code.google.com/p/flexpaper/ (The developers are aware of the vulnerability and will be resolved in future versions).
Two vulnerabilities XSS and content spoofing can be used by malicious users. Whether to affect the privacy of users of wikileaks. eg: Using Flash components specifically to decloack behind Tor network users OR link to external content to discredit Wikileaks, something Wikileaks should avoid given the nature of the content published on Wikileaks servers.

An example of the last FBI example for decloack users http://hackread.com/fbi-used-metasploit-decloak-expose-tor-users

Given the fact that most browsers use plugins to enable the reading of PDF's, we strongly urge Wikileaks to link directly to PDF files instead of using third party software that could put users at risk


We would like to thank Francisco Alonso @revskills http://twitter.com/revskills for providing us with this information.



Linkback: http://www.wikileaks-forum.com/security-support/608/-flexpaper-pdf-viewer-used-on-wikileaks-org-presents-security-risk-for-users/32700/


FlexPaper Team

  • Guest
This has been patched and fixed in the latest version of FlexPaper which can be found here:

http://static.devaldi.com/GPL/FlexPaper_2.3.0.zip

All Spiric

  • Guest
This has been patched and fixed in the latest version of FlexPaper which can be found here:

http://static.devaldi.com/GPL/FlexPaper_2.3.0.zip


Awesome news...thanx for the heads up.

FlexPaper Team

  • Guest
I forgot to mention; there is no need to republish all documents that are already published. Only the FlexPaperViewer.swf needs to be replaced from the new build to apply this patch.

All Spiric

  • Guest
yes, thanx for that. I assumed this wuold be the case.

We'll publish this info on all channels available to us


thanx again

FlexPaper Team

  • Guest
Sorry just realised we actually refreshed our builds this morning so this will be the latest build

http://static.devaldi.com/GPL/FlexPaper_2.3.1.zip

Merry X-Mas

FlexPaper Team

  • Guest
Just another friendly notice; we've had some issues with our CDN caching a incorrect  build so use the URL below and download it when/if you upgrade the viewer to make sure you get the latest build : 

http://flexpaper.devaldi.com/download.jsp#Classic

All Spiric

  • Guest
Wikileaks STILL hasn't updated the Flexviewer PDF Reader putting EVRYONE at risk

This is the checked URL: https://wikileaks.org/static/fp/FlexPaperViewer.swf


xx
Flaw in open-source PDF viewer could put WikiLeaks users, others at risk

Started by Koyaanisqatsi

0 Replies
1393 Views
Last post December 25, 2014, 02:31:04 AM
by Koyaanisqatsi
xx
Canadian Security Bill puts Your Rights at Risk

Started by von

0 Replies
611 Views
Last post June 05, 2015, 23:25:15 PM
by von
xx
REPORT: Millions Of Android Users Vulnerable To Security Breaches

Started by mayya

0 Replies
1355 Views
Last post August 26, 2013, 02:05:58 AM
by mayya
xx
Doh! WikiLeaks' PDF viewer springs XSS vulnerability

Started by Koyaanisqatsi

2 Replies
1736 Views
Last post December 24, 2014, 11:58:31 AM
by J.C