Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerability in Flash fallback #381

Closed
anssip opened this Issue May 2, 2013 · 14 comments

Comments

Projects
None yet
7 participants

@ghost ghost assigned anssip May 2, 2013

anssip added a commit that referenced this issue May 2, 2013

@anssip

This comment has been minimized.

Copy link
Member Author

anssip commented May 2, 2013

This fixes it, injecting the callback is not possible with this: http://cdn.382f.flowplayer.me/adhoc/flowplayer.swf?callback=function(){alert(%22shit%22)}

@anssip anssip closed this May 2, 2013

@imathis

This comment has been minimized.

Copy link

imathis commented May 4, 2013

Is a safe version of flowplayer.swf available anywhere? The site still points to version 3.2.16 which contains the vulnerability.

@blacktrash

This comment has been minimized.

Copy link
Member

blacktrash commented May 4, 2013

The fix is only for Flowplayer HTML5. And for version 5.4.2 - not yet released.

@imathis

This comment has been minimized.

Copy link

imathis commented May 4, 2013

Ok, so I'm still looking for a fix for Flowplayer Flash, since it exhibits the same vulnerability. For Octopress, I'm detecting video capability and with Modernizr and dynamically embedding a flash player if needed so I'm not planning to use Flowplayer HTML5. Will Flowplayer Flash be updated?

@blacktrash

This comment has been minimized.

Copy link
Member

blacktrash commented May 4, 2013

We tightened security for Flowplayer Flash in 3.2.16 in the sense that external config files in queries can only be loaded from the same domain as the core player - this already broke existing setups for sharing, including our own, but can be repaired.
Personally I don't see a way to tighten this more in Flowplayer Flash - without refactoring the player completely, or losing tons of features. But I might be wrong. In any case, the place to discuss this is the Flowplayer Flash bug tracker: https://github.com/flowplayer/flash/issues

@imathis

This comment has been minimized.

Copy link

imathis commented May 4, 2013

Thanks for the response. I think I'll hold off on integrating Flowplayer Flash and instead allow people to individually integrate Flowplayer HTML5 if they want to have those features.

anssip added a commit that referenced this issue May 14, 2013

Merge pull request #382 from flowplayer/bug/381
don't accept callback to be passed in the query string (#381)
@mala

This comment has been minimized.

Copy link

mala commented Nov 1, 2013

@anssip
I'm very sorry, please reopen this bug
http://releases.flowplayer.org/5.4.3/flowplayer.swf?%63allback=alert(1)

the quick fix is

if (url.indexOf("?") > 0 && url.indexOf("=") > 0) { throw error }

It breaks also ?nocache=timestamp

@anssip

This comment has been minimized.

Copy link
Member Author

anssip commented Nov 11, 2013

Thanks @mala for getting back to this. Now fixed like this: 27e8f17

You can test with this version:

http://cdn.578f.flowplayer.me/adhoc/flowplayer.swf?#&%63allback=alert%281%29

@mala

This comment has been minimized.

Copy link

mala commented Nov 12, 2013

@anssip
I checked the patch and I tested new version.
It is safe if there isn't very strange bug in Flash Player.

Thanks!

@pwntoken

This comment has been minimized.

Copy link

pwntoken commented Jul 19, 2015

Thanks for the updates. It would only take notable skilled experts to exploit this - which is otherwise all vain.

@irsdl

This comment has been minimized.

Copy link

irsdl commented Sep 15, 2016

For the record, this is still vulnerable after the patch:
http://releases.flowplayer.org/5.4.4/flowplayer.swf?c%#allback=alert(1)

The newer version has its own XSS too: flowplayer/flash#263

So sadly all vulnerable at this point.

@irsdl

This comment has been minimized.

Copy link

irsdl commented Sep 15, 2016

Interestingly, this doesn't work on 5.5.1 as it fails the decodeURIComponent function!
http://releases.flowplayer.org/5.5.1/flowplayer.swf?c%#allback=alert(1)
Fix the issue unintentionally I guess.

@mala

This comment has been minimized.

Copy link

mala commented Sep 16, 2016

@irsdl ah, it's my mistake. I found this bypass pattern in other bug hunting, and I know mediaelement's case. I've just forgotten about flowplayer.
mailru/FileAPI#342 (comment)
https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c

@nnarhinen

This comment has been minimized.

Copy link
Member

nnarhinen commented Sep 16, 2016

Flowplayer 6.x has been around for over a year already and the 5.x line most likely will not get any updates anymore. Also I have hard time seeing how this could be exploited.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.