Unpatchable Quicktime XSS

2006-12-14T00:00:00
ID SECURITYVULNS:DOC:15389
Type securityvulns
Reporter Securityvulns
Modified 2006-12-14T00:00:00

Description

More / Resource: http://mxcore.com/?go=forums&thread=103

The QuickTime texttrack exploit might be fixed, but there are many more methods of executing code via quicktime.

One way, is to make a mx.mov file (in notepad) This is not a texttrack. Will not be patched in the next version of Quicktime. So, websites like myspace can't ask "Apple" to fix their own XSS. The best bet would be to just filter the term "mov" from your site, completely - just a suggestion.

Code:

<?xml version="1.0"> <?quicktime type="application/x-quicktime-media-link"?> <embed src="http://website.com/shortfile.mov" qtnext="javascript:alert('test')"></embed>

Then shortfile.mov must be on the same server as mx.mov shortfile.mov should also be less than a second long, use the example.movsupplied with all quicktime versions.

The exploit in this is, quicktime allows XML to run. After the shortfile.mov(on the same server) is done executing the actual movie, the qtnext variable will execute a command. This is used sometimes for advertisements, to show you a produce then redirect to a website.