Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

shockwave.7.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

Shockwave 7 has a security hole sending user data to Macromedia; update available soon.

Code
`Date: Thu, 11 Mar 1999 13:53:41 -0400  
From: Sean Coates <[email protected]>  
To: [email protected]  
Subject: [Fwd: Shockwave 7 Security Hole]  
  
I just got this off a Lingo programming list (Macromedia Director 7  
scripting). Thought the Bugtraq community might appreciate it.  
  
-Sean Coates  
[email protected]  
  
Date: Thu, 11 Mar 1999 15:11:53 +0000  
From: Bernard Lang <[email protected]>  
To: [email protected]  
Subject: <lingo-l> Shockwave 7 Security Hole  
  
Dear all,  
Thought this little extract from Macuser might amuse you all (especially in  
the context of recent discussions about viewing users hard  
disks/fileIo/Xtras etc.):  
  
---------------------------------------------------  
Macromedia Will Plug Shockwave 7 Security Hole This Week  
10 March - MacUser -- Macromedia is set to close a security loophole in  
Shockwave 7 after MacUser discovered the Web plug-in was sending personal  
user information, including passwords, back to Macromedia.  
The updated plug-in is being tested and will be available this week.  
The problem occurs in Shockwave 7's optional auto-update feature, which  
periodically checks the Macromedia download site for the latest revision of  
Shockwave.  
If it needs an update, the software reports back to Macromedia the Shockwave  
sites users have visited.  
But in cases where Web sites use password validation in their addresses,  
this information - which can include the passwords, as well as data about  
secure Web sites, even those behind a firewall, and hard disk information -  
is passed back to Macromedia.  
Although security risks are minor because Shockwave 7 encrypts data before  
sending it to Macromedia, other users could get information about how to  
attack a company's network.  
Macromedia was not aware of the problem when contacted, but is creating an  
updated Shockwave 7 plug-in which will strip obvious password information  
and port numbers from URLs before sending them.  
The update will record any non-standard URLs as "Not an http:// server",  
preventing information about local hard disks and ftp sites being  
transferred.  
Macromedia will also add a special parameter to the "embed" tag used to  
place Shockwave movies in a page that will stop the URL being recorded.  
  
Tut tut.  
  
Regards.  
  
Bernard Lang  
---------------------------  
Telegrafix Media Design  
Glebe Cottage  
15 High Street  
Burton in Lonsdale  
North Yorks  
LA6 3JU  
United Kingdom  
---------------------------  
[email protected]  
015242-62026  
---------------------------  
  
[To remove yourself from this list, or to change to digest mode, use the  
Lingo-L list management page available at  
http://www.penworks.com/LUJ/lingo-l.cgi]  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
shockwave 7 securityuser informationsecurity updatemacromediadata encryptionpassword leak.
36