XSS vulnerability in Flash fallback #297
Description
Original issue link: #381 XSS vulnerability in Flash fallback
anssip commented on May 2, 2013
anssip commented on May 2, 2013
This fixes it, injecting the callback is not possible with this: http://cdn.382f.flowplayer.me/adhoc/flowplayer.swf?callback=function(){alert(%22shit%22)}
imathis commented on May 4, 2013
Is a safe version of flowplayer.swf available anywhere? The site still points to version 3.2.16 which contains the vulnerability.
phloxic commented on May 4, 2013
The fix is only for Flowplayer HTML5. And for version 5.4.2 - not yet released.
imathis commented on May 4, 2013
Ok, so I'm still looking for a fix for Flowplayer Flash, since it exhibits the same vulnerability. For Octopress, I'm detecting video capability and with Modernizr and dynamically embedding a flash player if needed so I'm not planning to use Flowplayer HTML5. Will Flowplayer Flash be updated?
phloxic commented on May 4, 2013
We tightened security for Flowplayer Flash in 3.2.16 in the sense that external config files in queries can only be loaded from the same domain as the core player - this already broke existing setups for sharing, including our own, but can be repaired.
Personally I don't see a way to tighten this more in Flowplayer Flash - without refactoring the player completely, or losing tons of features. But I might be wrong. In any case, the place to discuss this is the Flowplayer Flash bug tracker: https://github.com/flowplayer/flash/issues
imathis commented on May 4, 2013
Thanks for the response. I think I'll hold off on integrating Flowplayer Flash and instead allow people to individually integrate Flowplayer HTML5 if they want to have those features.
mala commented on Nov 1, 2013
@anssip
I'm very sorry, please reopen this bug
http://releases.flowplayer.org/5.4.3/flowplayer.swf?%63allback=alert(1)
the quick fix is
if (url.indexOf("?") > 0 && url.indexOf("=") > 0) { throw error }
It breaks also ?nocache=timestamp
anssip commented on Nov 11, 2013
Thanks @mala for getting back to this. Now fixed like this: flowplayer@27e8f17
You can test with this version:
mala commented on Nov 12, 2013
@anssip
I checked the patch and I tested new version.
It is safe if there isn't very strange bug in Flash Player.
Thanks!
pwntoken commented on Jul 19, 2015
Thanks for the updates. It would only take notable skilled experts to exploit this - which is otherwise all vain.
irsdl commented on Sep 15, 2016
For the record, this is still vulnerable after the patch:
http://releases.flowplayer.org/5.4.4/flowplayer.swf?c%#allback=alert(1)
The newer version has its own XSS too: flowplayer/flash#263
So sadly all vulnerable at this point.
irsdl commented on Sep 15, 2016
Interestingly, this doesn't work on 5.5.1 as it fails the decodeURIComponent function!
http://releases.flowplayer.org/5.5.1/flowplayer.swf?c%#allback=alert(1)
Fix the issue unintentionally I guess.
mala commented on Sep 16, 2016
@irsdl ah, it's my mistake. I found this bypass pattern in other bug hunting, and I know mediaelement's case. I've just forgotten about flowplayer.
mailru/FileAPI#342 (comment)
https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
nnarhinen commented on Sep 16, 2016
Flowplayer 6.x has been around for over a year already and the 5.x line most likely will not get any updates anymore. Also I have hard time seeing how this could be exploited.