Provide an additional "security enhanced" player SWF

[GoogleCodeExporter]

Currently it's possible to provide the player's configuration in the player's 
URL like this: 
http://www.large-bank.com/flowplayer.swf?config=config_with_bad-guys.com/phishin
g_video.mp4

This opens the possibility to phishing attacks.

On the other had we want to keep the possibility to provide the configuration 
option in the player URL because this makes it easier to embed the player to 
sites like Facebook.

So i'm proposing the we create a new player SWF called 
flowplayer.commercial.secured.swf that is the same as the current commercial 
version but has the config URL parameter feature disabled. This secured SWF 
will be given to all commercial license owners in addition to the normal 
commercial version. The user can then choose which one to use.

Original issue reported on code.google.com by anssip@gmail.com on 23 Jul 2011 at 6:06

[GoogleCodeExporter]

Let me know if you want me to work on this, shouldn't take too long

Original comment by jns.fe...@gmail.com on 14 Sep 2011 at 3:28

[GoogleCodeExporter]

We should investigate whether or not this can be solved with an appropriate 
crossdomain.xml file.
http://kb2.adobe.com/cps/142/tn_14213.html

Original comment by blacktrashproduct on 14 Nov 2011 at 4:56

[GoogleCodeExporter]

There is a report of XSS via the ability to load external plugins via the 
config url if the policy allows it. Flash should block this but aparantly 
allowing it, is this related ? Should there be some work required on the plugin 
loader to block external domains or simply change the security settings on the 
plugin loader ? 

http://code.google.com/p/flowplayer-core/issues/detail?id=441

Their policy is http://web.appsec.ws/crossdomain.xml. 

Original comment by dani...@electroteque.org on 26 Jan 2012 at 4:42

[GoogleCodeExporter]

crossdomain.xml with "allow-access-from" tied to single domain didn't work for 
us. Seems that Flash cross-domain policy do not affect external SWF loading.

Cannot use commercial player because sec. assessment (WhiteHat Sentinel) flag 
it with "XSS vulnerability". Guys (Jonas?), can you, please, implement secured 
version?

Original comment by ado...@gmail.com on 10 Sep 2012 at 8:58

[GoogleCodeExporter]

Hello!

According to http://www.securelist.com/en/advisories/54206 (Dated 07 Aug 2013) 
this issue is still open. The last answer on this thread was 10 Sept 2012.

Is there anyone working on this or was a secured version implemented already?

I believe this also affects the fallback swf Flowplayer used in the HTML5 
Flowplayer? 
Do I understand correctly that this issue therefore touches all Flowplayer 
versions?

Thanks!
KB

Original comment by kl...@netcreators.nl on 12 Nov 2013 at 3:51

[GoogleCodeExporter]

The bug tracker for Flowplayer Flash is now here:
https://github.com/flowplayer/flash/issues
And you are probably looking for this:
https://github.com/flowplayer/flash/issues/121
The mentioned changes will go into Flowplayer 3.2.17

The Flash backend for Flowplayer HTML5 is completely different.
It is (almost) safe: https://github.com/flowplayer/flowplayer/issues/381 - with 
yet another change for the next release.

Original comment by blacktrashproduct on 12 Nov 2013 at 4:31

• Changed state: Done

[GoogleCodeExporter]

Thank you very much for the detailed information!

Is there a timeframe for the Flowplayer Flash 3.2.17 release?

Original comment by kl...@netcreators.nl on 12 Nov 2013 at 4:42