November 11, 2013 -- A security vulnerability was discovered by @soiaxx in YUI 2 involving self-hosted uploader.swf
files. This vulnerability impacts YUI 2 versions 2.5.0 through 2.9.0 and allows arbitrary JavaScript to be run by passing in a query string parameter such as this one:
uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//
This problem is not reproducible in YUI 3.
If you are using or even merely hosting any YUI 2 .swf
file, please take steps to remove these files immediately from your hosts.
YUI 2 is an end-of-lifed project and is no longer supported. All YUI 2 .swf
files have been removed from the Yahoo CDN. If your site was taking advantage of the presence of these files on the Yahoo CDN they will no longer be available.
Our Security and YUI page has information about how to contact us for security-related issues.