Mar 26, 2018

Reflected XSS Moogaloop SWF ( Version < 6.2.x )

Advertisement




Reflected XSS Moogaloop SWF ( Version < 6.2.x ) 


Reflected XSS in Swf File moogaloop.swf 
thats Run By  Vimeo.com 

Sure Reported to 
Vimeo Team 
and 
My Report marked As Informative 

So I want to Share what I was found 

My Report Based on Report By Malte Batram
https://hackerone.com/reports/44512


Affected Subdomains 

http://a.vimeocdn.com
http://b.vimeocdn.com
http://c.vimeocdn.com
https://secure-a.vimeocdn.com
http://secure-b.vimeocdn.com/
http://secure-c.vimeocdn.com
http://testing.vimeocdn.com/
http://stating.vimeocdn.com/

The Parameter ?cdn_url= have In that flash file we can find functionality that looks into the SharedObject "com.conviva.livePass" for recently loaded swf-URLs under the key "lastSwfUrls". As far as I understand it, this is intended to look up if a flash file has been recently been loaded and should be in the cache of the browser, to try to always hit the cached file even if the URLs vary.

SharedObjects in Flash are stored on the basis of the domain of the flash file, so in this case the file will always be stored in a.vimeocdn.com/com.conviva.livePass.sol. Using a vulnerability in moogaloop, we can set the SharedObject and get any flash file loaded we want. Resulting in XSS on any site that includes the moogaloop flash player via the deprecated embed code and not the iframe solution.

ActionScript source :





Link to XSS : 


Note at the Link to xss : You must add "?" after .swf 




Example of POC : 





Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

0 comments: