Flash Player Vulnerability
75 views
Skip to first unread message
Wt Riker
Feb 3, 2015, 9:48:08 AM2/3/15
to jenkins...@googlegroups.com
I found a vulnerability in flash player but it was simple enough
to resolve myself. However this should be added to the next release.
In the javascript file:
.jenkins/war/scripts/yui/connection/connection-min.js
This line:
<param name="allowScriptAccess" value="always">
Needs to be changed to:
<param name="allowScriptAccess" value="sameDomain">
This vulnerability makes it possible to steal or manipulate session cookies which might be used to impersonate a legitimate user.
.jenkins/war/scripts/yui/connection/connection-min.js
This line:
<param name="allowScriptAccess" value="always">
Needs to be changed to:
<param name="allowScriptAccess" value="sameDomain">
This vulnerability makes it possible to steal or manipulate session cookies which might be used to impersonate a legitimate user.
Christopher Orr
Feb 3, 2015, 10:06:45 AM2/3/15
to jenkins...@googlegroups.com
Hi there,
Thanks for the info.
Which pages are you seeing on Jenkins where this Javascript file is
used, or where a Flash Player is embedded?
Regards,
Chris
Thanks for the info.
Which pages are you seeing on Jenkins where this Javascript file is
used, or where a Flash Player is embedded?
Regards,
Chris
Wt Riker
Feb 3, 2015, 10:29:28 AM2/3/15
to jenkins...@googlegroups.com
The link is:
http://jenkins.server.com:8080/static/452bd4e7/scripts/yui/connection/connection-min.js
I don't know what page contains that link or how it gets generates. Perhaps you can direct me on how to figure that out.
http://jenkins.server.com:8080/static/452bd4e7/scripts/yui/connection/connection-min.js
I don't know what page contains that link or how it gets generates. Perhaps you can direct me on how to figure that out.
Daniel Beck
Feb 3, 2015, 2:11:32 PM2/3/15
to jenkins...@googlegroups.com
On 03.02.2015, at 16:29, Wt Riker <wtrik...@gmail.com> wrote:
> The link is:
>
> http://jenkins.server.com:8080/static/452bd4e7/scripts/yui/connection/connection-min.js
https://github.com/jenkinsci/jenkins/blob/master/war/src/main/webapp/scripts/yui/connection/connection-debug.js#L1046
It's part of the YUI library and used to enable cross-domain requests.
According to https://helpx.adobe.com/flash-player/kb/changes-allowscriptaccess-default-flash-player.html doing this requires AllowScriptAccess 'always'.
> It protects an HTML file from a potentially untrusted SWF file, by controlling the ability of that SWF file to call JavaScript code in the surrounding HTML file. AllowScriptAccess has three possible values: "always", "sameDomain", and "never".
I'm not a Flash expert, but as the SWF file used here is connection.swf from the same library (YUI) and should be trusted, and any embedding only happens for deliberate cross-domain requests, this doesn't seem to be a real issue.
If you have further information that shows this is an actual problem, please submit a report with further information to the SECURITY project in Jira.
https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories#SecurityAdvisories-ReportSecurityProblems
https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue
Reply all
Reply to author
Forward
0 new messages