(Macromedia Issues Fix for Shockwave Player) Re: Macromedia Flash Player ActionScript Domain Security Flaw Lets Remote Users Access Local Files By Modifying URLs
SecurityTracker Alert ID: 1005359|
SecurityTracker URL: http://securitytracker.com/id/1005359
(Links to External Site)
Date: Oct 5 2002
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 8.5.1|
A vulnerability was reported in the Macromedia Flash Player, also affecting the Shockwave Player. A remote user can create content that can read local files on the target user's computer.|
It is reported that a remote user can create malicious Flash content to read files on the target user's computer and send them to a remote location.
The vulnerability apparently resides in the ActionScript feature used to load XML files. Ordinarily, the Flash Player prevents Flash content (movies) from loading data located outside of the original content's domain. However, it is apparently possible to bypass this restriction by loading data from URLs that are modified during HTTP negotiation. Malicious Flash content served from a remote domain could access local files and send them back to the remote domain.
The following three methods can be used to exploit the flaw, according to the report:
1) The content can force an HTTP redirect to a local file. A demonstration exploit example is available at:
2) The remote user can place a <base href="file:///C:/"> tag in the Flash document then use a relative URL. A demonstration exploit example is available at:
3) For systems using Internet Explorer, the remote user can embed a malicious Flash object in a web archive ('.mht' file) and make it seem as though its been saved from a location on the users hard drive, then use a relative URL. A demonstration exploit example is available at:
A remote user can create malicious Flash content on a remote server to read files on the target user's computer and send them back to the remote server.|
Macromedia has issued a fixed version of the Shockwave Player (8.5.1r105 for mac, 8.5.1r106 for windows), available at:|
According to the report, this flaw also affected the Netscape and Internet Explorer browsers, fixed in February and May of 2002 respectively. Internet Explorer for the Mac is apparently still vulnerable.
Vendor URL: www.macromedia.com/v1/handlers/index.cfm?ID=23415 (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), Apple (Legacy "classic" Mac), UNIX (macOS/OS X), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (Any)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: MPSB02-11 - Macromedia Shockwave URL Modification Issue|
MPSB02-11 - Macromedia Shockwave URL Modification Issue
Macromedia issued a security bulletin warning that there is a vulnerability in the
Shockwave Player that could allow a remote user to create malicious Shockwave content
that, when loaded, will be able to read known files on the target user's system and send
those files back to the originating web server. This can occur without the target user's
consent or knowledge.
According to the vendor, this flaw does not permit the remote user to modify or delete
local files. All Macromedia Shockwave Players are reported to be affected.
It is reported that the Lingo (in Shockwave movies) can request to load data directly from
local files, such as by using the getNetText function.
Malicious content can bypass same-domain security restrictions by loading data from URLs
that are modified during HTTP negotiation (using HTTP redirects, for example).
According to the report, this flaw also affected the Netscape and Internet Explorer
browsers, fixed in February and May of 2002 respectively. Internet Explorer for the Mac
is apparently still vulnerable.
Macromedia has issued a fixed version of the Shockwave Player (8.5.1r105 for mac,
8.5.1r106 for windows), available at:
Macromedia credits Jelmer (email@example.com) with reporting this flaw.
October 2, 2002 - Bulletin first released.
[Editor's note: We regret that the original Macromedia security bulletin cannot be
reproduced due to copyright restrictions. If you feel that this impedes your ability to
secure your systems, please contact Macromedia at firstname.lastname@example.org to request that
their security bulletins provide a copyright release.]