Hello 3APA3A!
I want to warn you about Cross-Site Scripting vulnerability in CorePlayer.
This is the same flash video player, which was used at online voting translations - today, 28.10.2012, on parliamentary elections in Ukraine and earlier this year on presidential elections in Russia.
Concerning elections in Ukraine. At spending 993.6 million gryvnas (approx. $124.2 million) for webcam setup (including development of web site for online translations), they haven't found money for security.
Vulnerable are CorePlayer 4.0.6 and previous versions. At web site webvybory2012.ru version 1.3.2 is used and at web site vybory2012.gov.ua version 4.0.6 is used.
XSS (WASC-08):
http://site/core_player.swf?callback=alert(document.cookie)
Examples:
http://webvybory2012.ru/flash/core-player.swf?callback=alert(document.cookie)
I mentioned about this vulnerability at my site (http://websecurity.com.ua/6117/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua