Vulnerability Note VU#138457
Adobe Flash Player fails to properly validate HTTP Referers
The Adobe Flash Player fails to properly validate HTTP Referers. This may allow an attacker to conduct cross-site request forgery attacks.
Adobe Flash Player is a player for the Flash media format and enables frame-based animations with sound to be viewed within a web browser. HTTP Referer Headers are defined in section 14.36 of RFC 2616:
The Referer[sic] request-header field allows the client to specify, for the server's benefit, the address (URI) of the resource from which the Request-URI was obtained (the "referrer", although the header field is misspelled.) The Referer request-header allows a server to generate lists of back-links to resources for interest, logging, optimized caching, etc. It also allows obsolete or mistyped links to be traced for maintenance. The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard.
An attacker may be able to execute cross-site request forgery attacks.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Adobe||Affected||-||12 Jul 2007|
CVSS Metrics (Learn More)
Thanks to Adobe for information that was used in this report. Adobe credits Daiki Fukumori of Secure Sky Technology, Inc for reporting the vulnerability.
This document was written by Ryan Giobbi.
- CVE IDs: CVE-2007-3457
- Date Public: 10 Jul 2007
- Date First Published: 12 Jul 2007
- Date Last Updated: 16 Jul 2007
- Severity Metric: 4.32
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.