Reported April 13, 2003, by Scan Security Wire
VERSIONS AFFECTED
Macromedia Flash Player
DESCRIPTION
A
problem with Macromedia Flash Player's advertisement-tracking feature can expose
user cookies. The clickTAG parameter that Flash Player supports lets HTML pages
define the click-through destination URL for a related advertisement. A
malicious user can use the clickTAG parameter to insert scripting code that
might execute if the Flash advertisement doesn't validate URLs before passing
them to the "ActionScript getURL" function.
VENDOR RESPONSE
Macromedia
issued a statement of
clarification for implementers of Flash advertisements: "A new player
version is not required. Macromedia Flash advertisements that accept clickTAGs
need to validate that the clickTAG URL begins with 'http:'. This helps ensure
the clickTAG does not contain malicious code."
CREDIT
Discovered
by Scan Security Wire.
Reported April 13, 2003, by Scan Security Wire
VERSIONS AFFECTED
Macromedia Flash Player
DESCRIPTION
A
problem with Macromedia Flash Player's advertisement-tracking feature can expose
user cookies. The clickTAG parameter that Flash Player supports lets HTML pages
define the click-through destination URL for a related advertisement. A
malicious user can use the clickTAG parameter to insert scripting code that
might execute if the Flash advertisement doesn't validate URLs before passing
them to the "ActionScript getURL" function.
VENDOR RESPONSE
Macromedia
issued a statement of
clarification for implementers of Flash advertisements: "A new player
version is not required. Macromedia Flash advertisements that accept clickTAGs
need to validate that the clickTAG URL begins with 'http:'. This helps ensure
the clickTAG does not contain malicious code."
CREDIT
Discovered
by Scan Security Wire.
Macromedia Flash Player Might Expose Cookies
0 comments
Hide comments