Date: Thu, 11 Mar 1999 13:53:41 -0400 From: Sean Coates To: BUGTRAQ@netspace.org Subject: [Fwd: Shockwave 7 Security Hole] I just got this off a Lingo programming list (Macromedia Director 7 scripting). Thought the Bugtraq community might appreciate it. -Sean Coates sean@spatula.ml.org Date: Thu, 11 Mar 1999 15:11:53 +0000 From: Bernard Lang To: lingo-l@penworks.com Subject: Shockwave 7 Security Hole Dear all, Thought this little extract from Macuser might amuse you all (especially in the context of recent discussions about viewing users hard disks/fileIo/Xtras etc.): --------------------------------------------------- Macromedia Will Plug Shockwave 7 Security Hole This Week 10 March - MacUser -- Macromedia is set to close a security loophole in Shockwave 7 after MacUser discovered the Web plug-in was sending personal user information, including passwords, back to Macromedia. The updated plug-in is being tested and will be available this week. The problem occurs in Shockwave 7's optional auto-update feature, which periodically checks the Macromedia download site for the latest revision of Shockwave. If it needs an update, the software reports back to Macromedia the Shockwave sites users have visited. But in cases where Web sites use password validation in their addresses, this information - which can include the passwords, as well as data about secure Web sites, even those behind a firewall, and hard disk information - is passed back to Macromedia. Although security risks are minor because Shockwave 7 encrypts data before sending it to Macromedia, other users could get information about how to attack a company's network. Macromedia was not aware of the problem when contacted, but is creating an updated Shockwave 7 plug-in which will strip obvious password information and port numbers from URLs before sending them. The update will record any non-standard URLs as "Not an http:// server", preventing information about local hard disks and ftp sites being transferred. Macromedia will also add a special parameter to the "embed" tag used to place Shockwave movies in a page that will stop the URL being recorded. Tut tut. Regards. Bernard Lang --------------------------- Telegrafix Media Design Glebe Cottage 15 High Street Burton in Lonsdale North Yorks LA6 3JU United Kingdom --------------------------- info@telegrafix.demon.co.uk 015242-62026 --------------------------- [To remove yourself from this list, or to change to digest mode, use the Lingo-L list management page available at http://www.penworks.com/LUJ/lingo-l.cgi]