-
Notifications
You must be signed in to change notification settings - Fork 471
XSS vulnerability in Flash fallback #381
Comments
|
This fixes it, injecting the callback is not possible with this: http://cdn.382f.flowplayer.me/adhoc/flowplayer.swf?callback=function(){alert(%22shit%22)} |
|
Is a safe version of flowplayer.swf available anywhere? The site still points to version 3.2.16 which contains the vulnerability. |
|
The fix is only for Flowplayer HTML5. And for version 5.4.2 - not yet released. |
|
Ok, so I'm still looking for a fix for Flowplayer Flash, since it exhibits the same vulnerability. For Octopress, I'm detecting video capability and with Modernizr and dynamically embedding a flash player if needed so I'm not planning to use Flowplayer HTML5. Will Flowplayer Flash be updated? |
|
We tightened security for Flowplayer Flash in 3.2.16 in the sense that external config files in queries can only be loaded from the same domain as the core player - this already broke existing setups for sharing, including our own, but can be repaired. |
|
Thanks for the response. I think I'll hold off on integrating Flowplayer Flash and instead allow people to individually integrate Flowplayer HTML5 if they want to have those features. |
don't accept callback to be passed in the query string (#381)
|
@anssip the quick fix is It breaks also ?nocache=timestamp |
|
Thanks @mala for getting back to this. Now fixed like this: 27e8f17 You can test with this version: http://cdn.578f.flowplayer.me/adhoc/flowplayer.swf?#&%63allback=alert%281%29 |
|
@anssip Thanks! |
|
Thanks for the updates. It would only take notable skilled experts to exploit this - which is otherwise all vain. |
|
For the record, this is still vulnerable after the patch: The newer version has its own XSS too: flowplayer/flash#263 So sadly all vulnerable at this point. |
|
Interestingly, this doesn't work on 5.5.1 as it fails the decodeURIComponent function! |
|
@irsdl ah, it's my mistake. I found this bypass pattern in other bug hunting, and I know mediaelement's case. I've just forgotten about flowplayer. |
|
Flowplayer 6.x has been around for over a year already and the 5.x line most likely will not get any updates anymore. Also I have hard time seeing how this could be exploited. |
http://releases.flowplayer.org/5.4.1/flowplayer.swf#?callback=function()%7Balert('SuckIt')%7D
The text was updated successfully, but these errors were encountered: