Closed Bug 1005674 Opened 11 years ago Closed 11 years ago

The Flash video player allows cross-site includes due to a missing source check

Categories

(www.mozilla.org :: General, defect)

Product:
www.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: schuenjia, Assigned: u232883)

Details

(Keywords: reporter-external, sec-high, wsec-other, Whiteboard: [kb=1355039] )

Attachments

(1 file)

pull request
44 bytes, text/x-github-pull-request
Details | Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release) Build ID: 20140421221237 Steps to reproduce: - Click on http://www.mozilla.org/media/flash/playerWithControls.swf?flv=http://www.attacker.site - check that a request is sent to the predefined site in background Actual results: A request is sent to an attacker's site w/o being noticed by a user. An attacker can prepare flv or mp4 files for malicious uses. Furthermore, XSS should also be checked in this case. Expected results: - use whitelist - do not allow loading external resource
Component: Other → General
Product: Websites → www.mozilla.org
Version: unspecified → Production
See also Bug 439560.
Attached file pull request
So the fix in Bug 439560 was lost at some point. I sent a pull request to implement a similar mitigation.
Assignee: nobody → kohei.yoshino
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [kb=1355039]
Summary: XSRF on mozilla.org → The Flash video player allows cross-site includes due to a missing source check
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/74db552da5fe52685f0410a5e596d7ae622bf657 Fix Bug 1005674 - The Flash video player allows cross-site includes due to a missing source check https://github.com/mozilla/bedrock/commit/781b67087018943003058d6bcac3ed69c07a834c Merge pull request #1968 from kyoshino/bug-1005674-flash-player-csrf Fix Bug 1005674 - The Flash video player allows cross-site includes due to a missing source check
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Flags: sec-bounty+
Keywords: sec-high, wsec-other
Commit pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/16496732d75a5b6d21afdcc57c5b217b480dd220 Move flash video player blocking to app. For bug 1005674. This was done in apache, and now it's in our Whitenoise subclass.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: