Issue

Embedding a flash video object in Adobe Dreamweaver CS3 or Adobe Contribute CS3 using the Insert Flash Video command might create a cross-site scripting vulnerability.

Reason

A potential cross-site scripting vulnerability has been identified within the FLVPlayer_Progressive.swf file.

Solution

Solution 1: Upgrade to Dreamweaver or Contribute CS4.

• To purchase an upgrade from Adobe, visit the Adobe Store, click Software, and then click the link for the product you want to purchase.
• To locate an authorized reseller, visit the Adobe website at www.adobe.com/store/customerregistration/other_places.jhtml.

Solution 2: Update the FLVPlayer_Progressive.swf file.

1. Download the updated Contribute and Dreamweaver update file.
   • 
     
   • Dreamweaver CS3 and Contribute CS3 for Windows
   • Dreamweaver CS3 and Contribute CS3 for Mac
2. Decompress the .zip or .dmg file.
3. Browse to the player's folder location:
   • Contribute
     • Windows
       \Program Files\Adobe\Adobe Contribute CS3\Configuration\Templates\Video_Player
     • Mac OS
       /Applications/Adobe Contribute CS3/Configuration/Templates/Video_Player
   • Dreamweaver
     • Windows
       \Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Templates\Video_Player
     • Mac OS
       /Applications/Adobe Dreamweaver CS3/configuration/Templates/Video_Player
4. Rename original FLVPlayer_Progressive.swf to FLVPlayer_Progressive.old.
5. Dreamweaver Only: Rename original FLVPlayer_Streaming.swf to FLVPlayer_Streaming.old.
6. Drag and drop the FLVPlayer_Progressive.swf from the download into the Video_Player folder.
7. Dreamweaver only: Drag and drop the FLVPlayer_Streaming.swf from the download into the Video_Player folder.
8. Restart Dreamweaver or Contribute.

To mitigate this vulnerability on websites, site administrators that use the FLVPlayback_Progressive.swf component are encouraged to update their site by following these instructions:

1. Download a copy of the webpage(s) which include an embedded FLV video from the webserver.
2. Open the webpage in Dreamweaver or Contribute.
3. Preview the site in Dreamweaver using the "Preview In Browser" or in Contribute.
   
   Note: Flash security settings may prevent Flash content from previewing if the content is stored on a local file folder. Please refer to "How do I let local Flash content communicate with the Internet" (TechNote 4c093f20.) for additional information on changing the security settings.
   
4. Once opened, preview the site using preview control on Dreamweaver or Contribute.
5. Save the page and re-upload to the webserver.
   
   Important: Ensure you upload dependent files in Dreamweaver.

To verify the update has been applied:

1. Browse to the player's folder location:
   • Contribute
     • Windows
       \Program Files\Adobe\Adobe Contribute CS3\Configuration\Templates\Video_Player
     • Mac OS
       /Applications/Adobe Contribute CS3/Configuration/Templates/Video_Player
   • Dreamweaver
     • Windows
       \Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Templates\Video_Player
     • Mac OS
       /Applications/Adobe Dreamweaver CS3/configuration/Templates/Video_Player
2. Verify the creation date of the file. The updated files should have a creation date of January 15, 2008.
   • On Windows: Right click on file and select Properties.
   • Mac OS: Control click on FLVPlayer_Progressive.swf and click GetInfo

Important: Please repeat the update procedure if the files are not updated.

Additional Information

Please refer to the Security Bulletin APSD08-01 for additional information about the vulnerability.

Products affected