zaphraud Post Posted: Thu Sep 07, 2006 8:42 am _________________________________________________________________ First, the 0day: LJ recently enabled movies on photobucket and youtube with a template. The template is needed both to keep people from posting random-ass stuff and turning LJ into the mess that MySpace is. Also needed to keep people from having passwords jacked by malicious flash, if they are running an older version of flash, the activescript is apparently a problem (?). This was recently highlighted on MySpace, where the site basically did everything it could to ram Flash Player 9 down everyones throat - including insisting that my Linux box didn't have the latest version of Flash (7 is the latest on Linux - I hope Sun gets on Adobe's ass about fixing the problems in the Linux version, if they were ever there to start with; I know that the Linux version of 7 lacks many of the problems I had with the Windows version of 7... lets just say I never had to fight battles with getflash.exe in Linux!). In ANY case, you can see it here: http://img.photobucket.com/albums/v510/zaphraud/misc/mozilla.swf http://acpizza.livejournal.com/499638.html ...you can also post the SWF ads on photobucket or youtube as if they were movies, as long as they are within the parent domain. (ads for their own products, in other words. They dont host the ads for other cos.) This is a security hole exploit because: 1. You aren't supposed to be able to do that. That could be a MUCH more annoying flash program, and LiveJournal, like everywhere else, is relying on the SWF player to not spontaneously start itself up. 2. I can upload any SWF to Photobucket that I want, because photobucket allows SWF as a still image format (go figure. I guess its vaguely similar to a really, really, really animated gif...) 3. The LiveJournal template system, while it does an excellent job of detecting any other domain than YouTube or Photobucket, doesn't seem to give a shit WHERE on either of those domains the Flash comes from! The template ONLY checks the domain name! I've been playing with LJ this for half a decade now on and off, I probably find a hole in LJ every other year or so. By far the most direct and noticable was the "Exxon Seal Remover" trick, which occured in 2001. Ive since found some of the stuff the staff wrote about getting it fixed and made it into memories: http://www.livejournal.com/tools/memories.bml?user=acpizza&keyword=Exxon+Seal+Remover+bugfix. In http://acpizza.livejournal.com/104425.html I was able to post Flash to LJ as well. Despite reporting it, that bug sat completely unfixed until YEARS later - like late 2005 or early 2006 I think, #bantown seized a bunch of passwords using XSS and all of the sudden they turned the paranoia on the filtering way up and it stopped working. *this didn't work in MSIE* - MSIE doesnt interpret the object tag if that damned dot is stuck on the end - but since it worked in Firefox, which later became FAR more popular than Mozilla, by the time #bantown got around to noticing it was pretty significant when it happened to LJ. I think they logged everyone out, actually, to implement a new password system and new domain mapping. Gee, all those years to fix it, sure didn't take 'em long to open up another SWF hole did it? In "Testing a mozilla bug" (http://acpizza.livejournal.com/114464.html) I had read about the IMG SRC="mailto:" problem with Mozilla and wanted to see how it worked, sorta publicly... Back in 2003 I figured anyone smart enough to be using Mozilla would be smart enough not to freak out. I didn't know the same bug existed in MSIE - I swear it - and so I had to alter that post pretty quick after a bunch of chicks promptly freaked out when their email programs opened.