jvndb-2007-000817
Vulnerability from jvndb
Published
2008-05-21 00:00
Modified
2009-02-10 11:32
Severity ?
() - -
Summary
Flash Player vulnerable in handling cross-domain policy files
Details
Adobe Flash Player contains a vulnerability caused by improper handling of cross-domain policy files. Adobe Flash Player is a player for the Flash media format and enables frame-based animations with sound to be viewed within a web browser. According to Adobe's "About allowing cross-domain data loading", "When a Flash document attempts to access data from another domain, Flash Player automatically attempts to load a policy file from that domain. If the domain of the Flash document that is attempting to access the data is included in the policy file, the data is automatically accessible." Flash Player contains a vulnerability that may allow a specially crafted web page to be interpreted as a cross-domain policy file because the plugin fails to properly handle cross-domain policy files.
References
JVN http://jvn.jp/en/jp/JVN45675516/index.html
JVNTR https://jvn.jp/en/tr/TRTA07-355A/index.html
JVNTR https://jvn.jp/en/tr/TRTA08-100A/
JVNTR https://jvn.jp/en/tr/TRTA08-150A/index.html
CVE http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
NVD http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6243
CERT-SA http://www.us-cert.gov/cas/alerts/SA08-150A.html
CERT-TA http://www.us-cert.gov/cas/techalerts/TA08-150A.html
SECUNIA http://secunia.com/advisories/28161
XF http://xforce.iss.net/xforce/xfdb/39129
SECTRACK http://securitytracker.com/id?1019116
FRSIRT http://www.frsirt.com/english/advisories/2007/4258
FRSIRT http://www.frsirt.com/english/advisories/2008/2838
JVNDB_Ja http://jvndb.jvn.jp/ja/contents/2007/JVNDB-2007-000817.html
Cross-site Scripting(CWE-79) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Impacted products
Adobe Inc.Adobe Flash Player
Red Hat, Inc.Red Hat Enterprise Linux Extras
Red Hat, Inc.RHEL Desktop Supplementary
Red Hat, Inc.RHEL Supplementary
Apple Inc.Apple Mac OS X
Apple Inc.Apple Mac OS X Server
Sun Microsystems, Inc.OpenSolaris
Sun Microsystems, Inc.Sun Solaris
Turbolinux, Inc.Turbolinux FUJI
Turbolinux, Inc.wizpy
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000817.html",
  "dc:date": "2009-02-10T11:32+09:00",
  "dcterms:issued": "2008-05-21T00:00+09:00",
  "dcterms:modified": "2009-02-10T11:32+09:00",
  "description": "Adobe Flash Player contains a vulnerability caused by improper handling of cross-domain policy files.\r\n\r\nAdobe Flash Player is a player for the Flash media format and enables frame-based animations with sound to be viewed within a web browser.\r\nAccording to Adobe\u0027s \"About allowing cross-domain data loading\", \"When a Flash document attempts to access data from another domain, Flash Player automatically attempts to load a policy file from that domain. If the domain of the Flash document that is attempting to access the data is included in the policy file, the data is automatically accessible.\"\r\nFlash Player contains a vulnerability that may allow a specially crafted web page to be interpreted as a cross-domain policy file because the plugin fails to properly handle cross-domain policy files.",
  "link": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000817.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:adobe:flash_player",
      "@product": "Adobe Flash Player",
      "@vendor": "Adobe Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:redhat:enterprise_linux",
      "@product": "Red Hat Enterprise Linux Extras",
      "@vendor": "Red Hat, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:redhat:rhel_desktop_supplementary",
      "@product": "RHEL Desktop Supplementary",
      "@vendor": "Red Hat, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:redhat:rhel_supplementary",
      "@product": "RHEL Supplementary",
      "@vendor": "Red Hat, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:apple:mac_os_x",
      "@product": "Apple Mac OS X",
      "@vendor": "Apple Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:apple:mac_os_x_server",
      "@product": "Apple Mac OS X Server",
      "@vendor": "Apple Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:sun:opensolaris",
      "@product": "OpenSolaris",
      "@vendor": "Sun Microsystems, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:sun:solaris",
      "@product": "Sun Solaris",
      "@vendor": "Sun Microsystems, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:turbolinux:turbolinux_fuji",
      "@product": "Turbolinux FUJI",
      "@vendor": "Turbolinux, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:turbolinux:turbolinux_wizpy",
      "@product": "wizpy",
      "@vendor": "Turbolinux, Inc.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "2.6",
    "@severity": "Low",
    "@type": "Base",
    "@vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
    "@version": "2.0"
  },
  "sec:identifier": "JVNDB-2007-000817",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/jp/JVN45675516/index.html",
      "@id": "JVN#45675516",
      "@source": "JVN"
    },
    {
      "#text": "https://jvn.jp/en/tr/TRTA07-355A/index.html",
      "@id": "TRTA07-355A",
      "@source": "JVNTR"
    },
    {
      "#text": "https://jvn.jp/en/tr/TRTA08-100A/",
      "@id": "TRTA08-100A",
      "@source": "JVNTR"
    },
    {
      "#text": "https://jvn.jp/en/tr/TRTA08-150A/index.html",
      "@id": "TRTA08-150A",
      "@source": "JVNTR"
    },
    {
      "#text": "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243",
      "@id": "CVE-2007-6243",
      "@source": "CVE"
    },
    {
      "#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6243",
      "@id": "CVE-2007-6243",
      "@source": "NVD"
    },
    {
      "#text": "http://www.us-cert.gov/cas/alerts/SA08-150A.html",
      "@id": "SA08-150A",
      "@source": "CERT-SA"
    },
    {
      "#text": "http://www.us-cert.gov/cas/techalerts/TA08-150A.html",
      "@id": "TA08-150A",
      "@source": "CERT-TA"
    },
    {
      "#text": "http://secunia.com/advisories/28161",
      "@id": "SA28161",
      "@source": "SECUNIA"
    },
    {
      "#text": "http://xforce.iss.net/xforce/xfdb/39129",
      "@id": "39129",
      "@source": "XF"
    },
    {
      "#text": "http://securitytracker.com/id?1019116",
      "@id": "1019116",
      "@source": "SECTRACK"
    },
    {
      "#text": "http://www.frsirt.com/english/advisories/2007/4258",
      "@id": "FrSIRT/ADV-2007-4258",
      "@source": "FRSIRT"
    },
    {
      "#text": "http://www.frsirt.com/english/advisories/2008/2838",
      "@id": "FrSIRT/ADV-2008-2838",
      "@source": "FRSIRT"
    },
    {
      "#text": "http://jvndb.jvn.jp/ja/contents/2007/JVNDB-2007-000817.html",
      "@id": "JVNDB-2007-000817",
      "@source": "JVNDB_Ja"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "Flash Player vulnerable in handling cross-domain policy files"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.