Security Bulletin: Addressing a Vulnerability in YUI 2.4.0 through YUI 2.9.0

October 30, 2012 -- A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files. Patched files are provided below.

Note: This vulnerability is similar to, but not the same as, the vulnerability that was announced in 2010.

Note: This vulnerability is also listed under CVE-2012-5881, CVE-2012-5882, and CVE-2012-5883.

If your site loads YUI 2 from a CDN (yui.yahooapis.com, ajax.googleapis.com, etc.) and not from your own domain, you are not affected. YUI 3 is not affected by this issue.

Whether or not your site uses the affected components, simply hosting an affected file means you are vulnerable. Follow these steps to resolve the issue:

1. Check

Determine whether you are hosting affected files from YUI versions 2.4.0 - 2.9.0. You can do this by checking the MD5s of the .swf files in your hosted YUI 2 directory.

2. Resolve

You have 3 options for resolving the issue:

  1. If you are hosting affected YUI 2 .swf files but not using them, simply delete them from your servers to resolve the vulnerability.

  2. Download drop-in replacements for the affected files and replace the affected files with the patched versions.

  3. Load the assets from CDN rather than hosting on your servers. The YUI 2 Dependency Configurator can help you generate URLs for either CDN. (Yahoo!'s CDN support's combo-handling but not SSL; Google's supports SSL but not combo-handling.)

3. Verify

Recheck your site comparing MD5s for YUI 2 .swf files hosted on your domain and ensuring that the vulnerable files listed on this page are no longer present on your server.

Affected Files and Patches

The following files are known to be compromised by this vulnerability. To find out the MD5 hash of the files you are hosting, use either the md5 or md5sum utility on Linux or OS X, or this equivalent application on Windows.

Version File Old MD5s Patch
2.4.0 charts.swf 329254385eaa6d9c24da093d70680dd9
efda98fdd0ab81f97af1b675f809bcc4 		charts.swf
5a73eca26f1561b95658dcb1d95ae101
2.4.1 charts.swf 57bec7baafc946b62eab55bd97857653
1c1aa14050f837236541b940781ff607 		charts.swf
5a73eca26f1561b95658dcb1d95ae101
2.5.0 charts.swf 7571ff3667b3b1a39d1f93faccf5a9cc
dd337b66da67de5d94fb67dd40bd77f6 		charts.swf
5a73eca26f1561b95658dcb1d95ae101
2.5.0 uploader.swf 90a9b50f35961f45b705966736466485
aaefcfce0b41a4d3a2d4433441bc7736 		uploader.swf
886d833cdfe17f7976a8f4e733de1660
2.5.1 charts.swf 7571ff3667b3b1a39d1f93faccf5a9cc
dd337b66da67de5d94fb67dd40bd77f6 		charts.swf
5a73eca26f1561b95658dcb1d95ae101
2.5.1 uploader.swf 85c7520f4580aaf5bdba1d428121099d
5b72b270f346a7bbe1da7482ea8542b8 		uploader.swf
886d833cdfe17f7976a8f4e733de1660
2.5.2 charts.swf 8a3a3c628eb8c2b2829ccce65ba33075
d58d82ae87762d1d0c954e6a811422ee 		charts.swf
621e8cdaa6a2db3c123270ebc6bb971f
2.5.2 uploader.swf 85c7520f4580aaf5bdba1d428121099d
5b72b270f346a7bbe1da7482ea8542b8 		uploader.swf
886d833cdfe17f7976a8f4e733de1660
2.6.0 charts.swf 33eb7bfcf62d02e7d79ffbaaceb9a603
ec48b68ad1fad4c322df1ee8c0c0dbd6 		charts.swf
9854e6dca7ac652c0cf7cd7f176b4d3c
2.6.0 uploader.swf bf36d6b72f172e758986292ffe6ccecf
668bd3223a21f814668d1da1e0abc764 		uploader.swf
886d833cdfe17f7976a8f4e733de1660
2.7.0 charts.swf 8890bf87a83994c857ae3fa4eea97de2
e6ca28e24c655877ad3072ce5fa6e234 		charts.swf
489c69e62e3dc7d2c2f92ae488bcae07
2.7.0 uploader.swf 02e3dab263ab0ed0d2a30bba9e091d96
20fa166d664c0151c1c7fb872104068f 		uploader.swf
3f9a4f306af1e927819fa447bf2a671d
2.8.0 charts.swf 59c6e2c9ae7de87f11dd3db3336de8b6
25c4e8920988020517d26a3aff582522 		charts.swf
deadc52ddc97d8f4e0d7116cc20fa09c
2.8.0 uploader.swf 52f36a13ac4ee2743531de3e29c0b55c
a8a77cd419fedd4ca8b85a88acac327a 		uploader.swf
87174cd2a467e9a5647f0b88ecf2d94d
2.8.0 swfstore.swf f619420748b08a2d453c049ef190e2f3
8526b66bd23fe8cebfa3426ad9c74ff0 		swfstore.swf
0114ab8c878ac4e48fd110f32164258b
2.8.1pr1 charts.swf 59c6e2c9ae7de87f11dd3db3336de8b6
25c4e8920988020517d26a3aff582522 		charts.swf
deadc52ddc97d8f4e0d7116cc20fa09c
2.8.1pr1 uploader.swf 52f36a13ac4ee2743531de3e29c0b55c
a8a77cd419fedd4ca8b85a88acac327a 		uploader.swf
87174cd2a467e9a5647f0b88ecf2d94d
2.8.1pr1 swfstore.swf f619420748b08a2d453c049ef190e2f3
8526b66bd23fe8cebfa3426ad9c74ff0 		swfstore.swf
0114ab8c878ac4e48fd110f32164258b
2.8.1 charts.swf 59c6e2c9ae7de87f11dd3db3336de8b6
25c4e8920988020517d26a3aff582522 		charts.swf
deadc52ddc97d8f4e0d7116cc20fa09c
2.8.1 swfstore.swf f619420748b08a2d453c049ef190e2f3
8526b66bd23fe8cebfa3426ad9c74ff0 		swfstore.swf
0114ab8c878ac4e48fd110f32164258b
2.8.1 uploader.swf 52f36a13ac4ee2743531de3e29c0b55c
a8a77cd419fedd4ca8b85a88acac327a 		uploader.swf
87174cd2a467e9a5647f0b88ecf2d94d
2.8.2 charts.swf 923c8afe50fc45ed42d92d6ab83b11f6 charts.swf
d81f5e275882cd43b0204c7f3b0f9282
2.8.2 uploader.swf eeb5aa24c17afae286845bedb142da28
967bec3a39d75872c1813db9198f90ef 		uploader.swf
55a4cd82f32b7e88f4328ff0b9fbccef
2.8.2 swfstore.swf 8526b66bd23fe8cebfa3426ad9c74ff0 swfstore.swf
0114ab8c878ac4e48fd110f32164258b
2.9.0pr2 charts.swf ba8b1b50b26530b618d520960864f876 charts.swf
aa88167e49fb38c4b2e2a58de0cd9dc0
2.9.0pr2 uploader.swf 646e1dfba0801ec88039409da9fb35ad uploader.swf
bdaa0317dbdb8691f4eb2b013d4b6484
2.9.0pr4 charts.swf 15d4718264765f3b01014fb466281fe0 charts.swf
efc872a9119d55d10c9a7fb301417a88
2.9.0pr4 uploader.swf 646e1dfba0801ec88039409da9fb35ad uploader.swf
bdaa0317dbdb8691f4eb2b013d4b6484
2.9.0 charts.swf 15d4718264765f3b01014fb466281fe0 charts.swf
efc872a9119d55d10c9a7fb301417a88
2.9.0 uploader.swf 646e1dfba0801ec88039409da9fb35ad uploader.swf
bdaa0317dbdb8691f4eb2b013d4b6484
2.9.0 swfstore.swf 844a3718c5f8c04ece6a86065a658a07 swfstore.swf
42af62409ff28a1880f5e77697af5b2e

Support

Our Security and YUI page has information about how to contact us for security-related issues.