YUI 2.8.2 Security Bulletin: Addressing a Vulnerability in YUI 2.4.0 through YUI 2.8.1

A security-related defect was introduced in the YUI 2 Flash component infrastructure beginning with the YUI 2.4.0 release. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files. YUI 2.8.2 corrects this problem; patches are also provided here for all affected releases from 2.4.0 through 2.8.1.

Whether or not your site uses the affected components, as long as it hosts a YUI 2 distribution between version 2.4.0 and 2.8.1 that includes these files it is affected by this vulnerability.

If your site loads YUI 2 from Yahoo's CDN (yui.yahooapis.com) or from Google's CDN (ajax.googleapis.com), and the files are not hosted on your own domain, you are not affected. YUI 3 is not affected by this issue.

To address the vulnerability, follow these three steps:

1. Check

Determine whether you are hosting affected files in the YUI 2.4.0 - 2.8.1 distributions. You can do this by checking the MD5s of the .swf files in your hosted YUI 2 directory.

2. Patch

There are three ways to secure your site:

  1. Load YUI from the Yahoo! CDN (all versions) or Google CDN (versions 2.6.0 and later) and delete the affected YUI 2 files from your own domain. The YUI 2 Dependency Configurator can help you generate URLs for either CDN. (Yahoo!'s CDN support's combo-handling but not SSL; Google's supports SSL but not combo-handling.)
  2. Download drop-in replacements for the affected files and replace the affected files with the patched versions.
  3. Upgrade to YUI 2.8.2, making sure to remove all previous YUI versions from your domain.

3. Verify

Recheck your site comparing MD5s for YUI 2 .swf files hosted on your domain and ensuring that the vulnerable files listed on this page are no longer present on your server.

Where to Get Support:

Questions can be addressed to YUI developers and community members via this thread on the YUI Forums.

Live support may be available on the #yui IRC channel on Freenode.net.

Affected Files and Patches

The following files are known to be compromised by this vulnerability. To find out the MD5 hash of the files you are hosting, use either the md5 or md5sum utility on Linux or OS X, or this equivalent application on Windows.

yui 2.4.0
File: /build/charts/assets/charts.swf Old MD5: 329254385eaa6d9c24da093d70680dd9
New MD5: efda98fdd0ab81f97af1b675f809bcc4 		Patch: charts.swf
yui 2.4.1
File: /build/charts/assets/charts.swf Old MD5: 57bec7baafc946b62eab55bd97857653
New MD5: 1c1aa14050f837236541b940781ff607 		Patch: charts.swf
yui 2.5.0
File: /build/charts/assets/charts.swf Old MD5: 7571ff3667b3b1a39d1f93faccf5a9cc
New MD5: dd337b66da67de5d94fb67dd40bd77f6 		Patch: charts.swf
File: /build/uploader/assets/uploader.swf Old MD5: 90a9b50f35961f45b705966736466485
New MD5: aaefcfce0b41a4d3a2d4433441bc7736 		Patch: uploader.swf
yui 2.5.1
File: /build/charts/assets/charts.swf Old MD5: 7571ff3667b3b1a39d1f93faccf5a9cc
New MD5: dd337b66da67de5d94fb67dd40bd77f6 		Patch: charts.swf
File: /build/uploader/assets/uploader.swf Old MD5: 85c7520f4580aaf5bdba1d428121099d
New MD5: 5b72b270f346a7bbe1da7482ea8542b8 		Patch: uploader.swf
yui 2.5.2
File: /build/charts/assets/charts.swf Old MD5: 8a3a3c628eb8c2b2829ccce65ba33075
New MD5: d58d82ae87762d1d0c954e6a811422ee 		Patch: charts.swf
File: /build/uploader/assets/uploader.swf Old MD5: 85c7520f4580aaf5bdba1d428121099d
New MD5: 5b72b270f346a7bbe1da7482ea8542b8 		Patch: uploader.swf
yui 2.6.0
File: /build/charts/assets/charts.swf Old MD5: 33eb7bfcf62d02e7d79ffbaaceb9a603
New MD5: ec48b68ad1fad4c322df1ee8c0c0dbd6 		Patch: charts.swf
File: /build/uploader/assets/uploader.swf Old MD5: bf36d6b72f172e758986292ffe6ccecf
New MD5: 668bd3223a21f814668d1da1e0abc764 		Patch: uploader.swf
yui 2.7.0
File: /build/charts/assets/charts.swf Old MD5: 8890bf87a83994c857ae3fa4eea97de2
New MD5: e6ca28e24c655877ad3072ce5fa6e234 		Patch: charts.swf
File: /build/uploader/assets/uploader.swf Old MD5: 02e3dab263ab0ed0d2a30bba9e091d96
New MD5: 20fa166d664c0151c1c7fb872104068f 		Patch: uploader.swf
yui 2.8.0
File: /build/charts/assets/charts.swf Old MD5: 59c6e2c9ae7de87f11dd3db3336de8b6
New MD5: 25c4e8920988020517d26a3aff582522 		Patch: charts.swf
File: /build/uploader/assets/uploader.swf Old MD5: 52f36a13ac4ee2743531de3e29c0b55c
New MD5: a8a77cd419fedd4ca8b85a88acac327a 		Patch: uploader.swf
File: /build/swfstore/swfstore.swf Old MD5: f619420748b08a2d453c049ef190e2f3
New MD5: 8526b66bd23fe8cebfa3426ad9c74ff0 		Patch: swfstore.swf
yui 2.8.1 PR1
File: /build/charts/assets/charts.swf Old MD5: 59c6e2c9ae7de87f11dd3db3336de8b6
New MD5: 25c4e8920988020517d26a3aff582522 		Patch: charts.swf
File: /build/uploader/assets/uploader.swf Old MD5: eeb5aa24c17afae286845bedb142da28
New MD5: 967bec3a39d75872c1813db9198f90ef 		Patch: uploader.swf
File: /build/swfstore/swfstore.swf Old MD5: f619420748b08a2d453c049ef190e2f3
New MD5: 8526b66bd23fe8cebfa3426ad9c74ff0 		Patch: swfstore.swf
yui 2.8.1
File: /build/charts/assets/charts.swf Old MD5: 59c6e2c9ae7de87f11dd3db3336de8b6
New MD5: 25c4e8920988020517d26a3aff582522 		Patch: charts.swf
File: /build/uploader/assets/uploader.swf Old MD5: eeb5aa24c17afae286845bedb142da28
New MD5: 967bec3a39d75872c1813db9198f90ef 		Patch: uploader.swf
File: /build/swfstore/swfstore.swf Old MD5: f619420748b08a2d453c049ef190e2f3
New MD5: 8526b66bd23fe8cebfa3426ad9c74ff0 		Patch: swfstore.swf