#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:  Camtasia Studio 6 
# Vendor:   TechSmith
# Subject:  Configuration Manipulation Vulnerability
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Michael Schmidt <michael.schmidt@csnc.ch>
# Date:     2009-08-20
#
#############################################################

Introduction:
-------------
Camtasia Studio 6 can be used to create animated flash videos. 
Among other things the flash videos can be supplemented 
with text messages and links to arbitrary websites. 
These links and text messages can be adapted through a parameter 
in the calling URL of the Flash Video. Redirection to arbitrary website,
Cross-Site-Scripting and displaying of crafted text messages is possible.


Affected:
---------
Vulnerable:
 * Camtasia Studio 6.0.1, 6.0.2, 6.0.3

Not vulnerable:
 * [no further versions tested]

Not tested:
 * [no further versions tested]

 
Technical Description
---------------------
The defined XML configuration compiled into flash videos created with Camtasia
Studio 6.0.2 can be overridden using the following crafted URL:

http://192.168.100.1/camtasia_config_vulnerability_demo.swf??config==<?xml version="1.0"
 encoding="UTF-8"?><main><config><hasToc type="Boolean">0</hasToc>
 <hasAudio type="Boolean">1</hasAudio><hasAbout type="Boolean">0</hasAbout>
 ...
 [CUT BY COMPASS]
 ...
 <tocInfo></tocInfo></main>
 
The corresponding lines in the source code:

frame 1 {
    config = '<?xml version="1.0" encoding="UTF-8"?><main><config><hasToc type="Boolean">
    0</hasToc><hasAudio type="Boolean">1</hasAudio><hasAbout type="Boolean">0</hasAbout>
    <hasFullscreen type="Boolean">0</hasFullscreen><hasPipOverlay type="Boolean">0
    ...
    [CUT BY COMPASS]
    ...
    <frameRate type="Number">15</array></playlist><tocInfo></tocInfo></main>';
  } 
 
Overriding this configuration makes it possible to adapt displayed text messages, redirect
users to foreign websites and launch Cross-Site-Scripting attacks. 


Timeline:
---------
2009-10-27:		Techsmith releases fix
2009-09-10:     Initial vendor notification
2009-08-20:     Discovery by Michael Schmidt


References:
-----------
http://www.techsmith.com/security/bulletins/B2_ConfigurationManipulationinFlashSWFFiles.asp