Reflected XSS Moogaloop SWF ( Version < 6.2.x ) - Mohamed Haron

Mohamed Haron

This Personal Blog about Security and Writes-Up

Mar 26, 2018

Reflected XSS Moogaloop SWF ( Version < 6.2.x )

Reflected XSS Moogaloop SWF ( Version < 6.2.x ) 

Reflected XSS in Swf File moogaloop.swf 
thats Run By 

Sure Reported to 
Vimeo Team 
My Report marked As Informative 

So I want to Share what I was found 

My Report Based on Report By Malte Batram

Affected Subdomains

The Parameter ?cdn_url= have In that flash file we can find functionality that looks into the SharedObject "com.conviva.livePass" for recently loaded swf-URLs under the key "lastSwfUrls". As far as I understand it, this is intended to look up if a flash file has been recently been loaded and should be in the cache of the browser, to try to always hit the cached file even if the URLs vary.

SharedObjects in Flash are stored on the basis of the domain of the flash file, so in this case the file will always be stored in Using a vulnerability in moogaloop, we can set the SharedObject and get any flash file loaded we want. Resulting in XSS on any site that includes the moogaloop flash player via the deprecated embed code and not the iframe solution.

ActionScript source :

Link to XSS : 

Note at the Link to xss : You must add "?" after .swf 

Example of POC : 

No comments:

Post a Comment