My Findings about FusionCharts Vulnerabilites:
A) I found that an attacker is able to execute a XSS attacks by loading a external XML File via dataUrl Parameter,
This Parameter looking for a valid configuration fie for display Graph Data in FusionChart,
for example (Click the Graph For XSS PoC):
When the victim will click on the malicious graph, The XSS Payload will be run on his client,
B) An attacker is able to perform redirection attack (New Tab) in Firefox, This can be done by using the LogoURL Parameter,
This Parameter allow to attacker loading a external swf file (swf),
To perform a Redirection attack, The attacker will use the req.send function in ActionScript and use his malicious swf file,
(req.send("http://nirgoldshlager.com", "_blank", "GET");),
Cross Domain Policy file:
What about anti-XSS Regex action script?
We all remember the old debugmode=1 Bug in FusionChart Right :)?
I have examined the fusionchart's action script and discovered they do perform a poor trial of blocking Cross site scripting attacks using regex to match dangerous XSS attempts
Also you can use data:text/html; to bypass it or mocha,livescript for older version in Netscape,
The correct solution might be:
a new paramter(defaultDataFile) has been revealed which is vulnerable to new XSS Attack.
There is another parameter called defaultDataFile this parameter can be used to trigger another XSS incase the DataURL parameter is protected/blocked
var _defaultDataFile = unescape(getFirstValue(rootAttr.defaultdatafile, "Data.xml"));
We can use this parameter to execute a XSS attack,