Swfdec - Aug 2008 - [Bug 17220] New: Swfdec does not support Clipboard Hijack Attacks

http://bugs.freedesktop.org/show_bug.cgi?id=17220

           Summary: Swfdec does not support Clipboard Hijack Attacks
           Product: swfdec
           Version: 0.7.x
          Platform: x86 (IA32)
               URL: http://it.slashdot.org/it/08/08/20/0029220.shtml
        OS/Version: Linux (All)
            Status: NEW
          Severity: trivial
          Priority: lowest
         Component: plugin
        AssignedTo: swfdec at lists.freedesktop.org
        ReportedBy: oyvinds at everdot.org
         QAContact: swfdec at lists.freedesktop.org


The Adove Flash URL clipboard-hijacking insertion of hostile URLs
"feature"
(demo at http://raffon.net/research/flash/cb/test.html) does not work with
swfdec-mozilla.


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

http://bugs.freedesktop.org/show_bug.cgi?id=17220


Pekka Lampila <pekka.lampila at iki.fi> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |10840
             Status|NEW                         |ASSIGNED




--- Comment #1 from Pekka Lampila <pekka.lampila at iki.fi>  2008-08-20
12:42:10 PST ---
We don't currently support AVM2 (aka. AS3, ABC) that is required to make
this
attack work, adding depends

Might be possible to write AS2 version of this attack, and that wouldn't
work
in Swfdec either since we lack support for System.setClipboard function


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

http://bugs.freedesktop.org/show_bug.cgi?id=17220


Benjamin Otte <otte at gnome.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|trivial                     |enhancement




--- Comment #2 from Benjamin Otte <otte at gnome.org>  2008-08-27 01:49:56
PST ---
System.setClipboard functionality should work like popups: Only allow them when
handling key presses or mouse clicks. That way buttons like "copy" and
ctrl-c
work fine, but you don't get random crap put in your clipboard.


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

https://bugs.freedesktop.org/show_bug.cgi?id=17220

Öyvind Saether <oyvinds at everdot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|ASSIGNED                    |RESOLVED

--- Comment #3 from Öyvind Saether <oyvinds at everdot.org> ---
this bug should be closed on the grounds that nobody cares about flash anymore

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/swfdec/attachments/20180428/4dbac043/attachment.html>