Macromedia Flash Player Might Expose Cookies

Reported April 13, 2003, by Scan Security Wire

VERSIONS AFFECTED

Macromedia Flash Player

DESCRIPTION

A problem with Macromedia Flash Player's advertisement-tracking feature can expose user cookies. The clickTAG parameter that Flash Player supports lets HTML pages define the click-through destination URL for a related advertisement. A malicious user can use the clickTAG parameter to insert scripting code that might execute if the Flash advertisement doesn't validate URLs before passing them to the "ActionScript getURL" function.

VENDOR RESPONSE

Macromedia issued a statement of clarification for implementers of Flash advertisements: "A new player version is not required. Macromedia Flash advertisements that accept clickTAGs need to validate that the clickTAG URL begins with 'http:'. This helps ensure the clickTAG does not contain malicious code."

CREDIT          

Discovered by Scan Security Wire.

Reported April 13, 2003, by Scan Security Wire

VERSIONS AFFECTED

Macromedia Flash Player

DESCRIPTION

A problem with Macromedia Flash Player's advertisement-tracking feature can expose user cookies. The clickTAG parameter that Flash Player supports lets HTML pages define the click-through destination URL for a related advertisement. A malicious user can use the clickTAG parameter to insert scripting code that might execute if the Flash advertisement doesn't validate URLs before passing them to the "ActionScript getURL" function.

VENDOR RESPONSE

Macromedia issued a statement of clarification for implementers of Flash advertisements: "A new player version is not required. Macromedia Flash advertisements that accept clickTAGs need to validate that the clickTAG URL begins with 'http:'. This helps ensure the clickTAG does not contain malicious code."

CREDIT          

Discovered by Scan Security Wire.