"De Flashing" the ISC Web Site and Flash XSS issues
You may have noticed that earlier today, I removed the flash player that we use to play audio files on our site. The trigger for this was a report that the particular flash player we use (an open source player usually used with Wordpress) is suscepible to cross site scripting [1][2]. Instead of upgrading to the newer (patched) version, we instead decided to remove the player.
The other part of this is that pretty much all current browsers do have reasonable support for HTML 5 audio tags. We do offer our audio files, like the daily podcast, in MP3 as well as Ogg Vorbis format, which covers all major browsers. We also offer links to the direct files in case someone would like to play the files "offline" and we do offer via RSS feeds various MP3/Podcast players.
So in short, the flash player wasn't worth maintaining.
On the other hand, we will try to embrace some of the HTML5 features more as we move the site forward. The data will still be available in pretty much any browser (yup. ... lynx), but you will see our graphs and similar parts of the site take advantage of newer browser features to make it easier to navigate the data. For now, we still got a couple of flash movies on the site, but we are working on moving them either to youtube, or using our own (again HTML5 based) solution.
Big thanks to Rafay Baloch [3] for reporting the XSS vulnerability to us!
Example exploit string to test your own player: player.swf ? playerID= \\%22))} catch(e){alert('Your%20cookies%20are%20mine%20now')} // (remove spaces, but keep the // at the end)
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1464
[2] http://wordpress.org/extend/plugins/audio-player/
[3] http://rafayhackingarticles.net twitter @rafaybaloch
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
JacL
May 8th 2013
1 decade ago
I wasn't able to attend the webcast "Uninstall Java? Realistic Recommendation? No. Insanity? Yes!" back in February - because I am apparently insane, and had uninstalled Java...
df
May 9th 2013
1 decade ago
Dr. J.
May 9th 2013
1 decade ago
Still more work to do before ISC is completely Flash-free.
Foxbat
May 10th 2013
1 decade ago