Skip to content
This repository has been archived by the owner on Sep 30, 2021. It is now read-only.

XSS vulnerability in Flash fallback #381

Closed
anssip opened this issue May 2, 2013 · 14 comments
Closed

XSS vulnerability in Flash fallback #381

anssip opened this issue May 2, 2013 · 14 comments
Assignees
Labels
Milestone

Comments

@anssip
Copy link
Contributor

anssip commented May 2, 2013

http://releases.flowplayer.org/5.4.1/flowplayer.swf#?callback=function()%7Balert('SuckIt')%7D

@anssip
Copy link
Contributor Author

anssip commented May 2, 2013

This fixes it, injecting the callback is not possible with this: http://cdn.382f.flowplayer.me/adhoc/flowplayer.swf?callback=function(){alert(%22shit%22)}

@anssip anssip closed this as completed May 2, 2013
@imathis
Copy link

imathis commented May 4, 2013

Is a safe version of flowplayer.swf available anywhere? The site still points to version 3.2.16 which contains the vulnerability.

@phloxic
Copy link
Contributor

phloxic commented May 4, 2013

The fix is only for Flowplayer HTML5. And for version 5.4.2 - not yet released.

@imathis
Copy link

imathis commented May 4, 2013

Ok, so I'm still looking for a fix for Flowplayer Flash, since it exhibits the same vulnerability. For Octopress, I'm detecting video capability and with Modernizr and dynamically embedding a flash player if needed so I'm not planning to use Flowplayer HTML5. Will Flowplayer Flash be updated?

@phloxic
Copy link
Contributor

phloxic commented May 4, 2013

We tightened security for Flowplayer Flash in 3.2.16 in the sense that external config files in queries can only be loaded from the same domain as the core player - this already broke existing setups for sharing, including our own, but can be repaired.
Personally I don't see a way to tighten this more in Flowplayer Flash - without refactoring the player completely, or losing tons of features. But I might be wrong. In any case, the place to discuss this is the Flowplayer Flash bug tracker: https://github.com/flowplayer/flash/issues

@imathis
Copy link

imathis commented May 4, 2013

Thanks for the response. I think I'll hold off on integrating Flowplayer Flash and instead allow people to individually integrate Flowplayer HTML5 if they want to have those features.

anssip added a commit that referenced this issue May 14, 2013
don't accept callback to be passed in the query string (#381)
@mala
Copy link

mala commented Nov 1, 2013

@anssip
I'm very sorry, please reopen this bug
http://releases.flowplayer.org/5.4.3/flowplayer.swf?%63allback=alert(1)

the quick fix is

if (url.indexOf("?") > 0 && url.indexOf("=") > 0) { throw error }

It breaks also ?nocache=timestamp

@anssip
Copy link
Contributor Author

anssip commented Nov 11, 2013

Thanks @mala for getting back to this. Now fixed like this: 27e8f17

You can test with this version:

http://cdn.578f.flowplayer.me/adhoc/flowplayer.swf?#&%63allback=alert%281%29

@mala
Copy link

mala commented Nov 12, 2013

@anssip
I checked the patch and I tested new version.
It is safe if there isn't very strange bug in Flash Player.

Thanks!

@pwntoken
Copy link

Thanks for the updates. It would only take notable skilled experts to exploit this - which is otherwise all vain.

@irsdl
Copy link

irsdl commented Sep 15, 2016

For the record, this is still vulnerable after the patch:
http://releases.flowplayer.org/5.4.4/flowplayer.swf?c%#allback=alert(1)

The newer version has its own XSS too: flowplayer/flash#263

So sadly all vulnerable at this point.

@irsdl
Copy link

irsdl commented Sep 15, 2016

Interestingly, this doesn't work on 5.5.1 as it fails the decodeURIComponent function!
http://releases.flowplayer.org/5.5.1/flowplayer.swf?c%#allback=alert(1)
Fix the issue unintentionally I guess.

@mala
Copy link

mala commented Sep 16, 2016

@irsdl ah, it's my mistake. I found this bypass pattern in other bug hunting, and I know mediaelement's case. I've just forgotten about flowplayer.
mailru/FileAPI#342 (comment)
https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c

@nnarhinen
Copy link
Contributor

Flowplayer 6.x has been around for over a year already and the 5.x line most likely will not get any updates anymore. Also I have hard time seeing how this could be exploited.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

7 participants