My next class:

"De Flashing" the ISC Web Site and Flash XSS issues

Published: 2013-05-08. Last Updated: 2013-05-08 19:14:59 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

You may have noticed that earlier today, I removed the flash player that we use to play audio files on our site. The trigger for this was a report that the particular flash player we use (an open source player usually used with Wordpress) is suscepible to cross site scripting [1][2]. Instead of upgrading to the newer (patched) version, we instead decided to remove the player. 

The other part of this is that pretty much all current browsers do have reasonable support for HTML 5 audio tags. We do offer our audio files, like the daily podcast, in MP3 as well as Ogg Vorbis format, which covers all major browsers. We also offer links to the direct files in case someone would like to play the files "offline" and we do offer via RSS feeds various MP3/Podcast players. 

So in short, the flash player wasn't worth maintaining. 

On the other hand, we will try to embrace some of the HTML5 features more as we move the site forward. The data will still be available in pretty much any browser (yup. ... lynx), but you will see our graphs and similar parts of the site take advantage of newer browser features to make it easier to navigate the data. For now, we still got a couple of flash movies on the site, but we are working on moving them either to youtube, or using our own (again HTML5 based) solution.

Big thanks to Rafay Baloch [3] for reporting the XSS vulnerability to us! 

Example exploit string to test your own player: player.swf ? playerID= \\%22))} catch(e){alert('Your%20cookies%20are%20mine%20now')} //    (remove spaces, but keep the // at the end)

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1464
[2] http://wordpress.org/extend/plugins/audio-player/
[3] http://rafayhackingarticles.net twitter @rafaybaloch

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe flash xss
4 comment(s)
My next class:

Comments

That's great news. I can't wait until more websites move to HTML5 and away from Flash. It seems like at least half of my system updates and critical patches are for Oracle/Java and Adobe/Flash. Both are very high maintenance for webmasters and also end users. Not to mention they have never been good for security.
Now, you don't suppose you could do something about the java requirement for your webcasts?

I wasn't able to attend the webcast "Uninstall Java? Realistic Recommendation? No. Insanity? Yes!" back in February - because I am apparently insane, and had uninstalled Java...
SANS is working on a different way to produce webcasts. For our ISC webcasts, we pretty much replaced them now with Youtube Videos and are not planning any new ISC webcasts using the old Java app.
I disable Flash except on websites I specify in IE9. When I connect to the ISC site, IE9 says that "This webpage wants to run the following add-on: 'Adobe Flash Player'". I assume this is coming from your ad links.

Still more work to do before ISC is completely Flash-free.

Diary Archives