| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 5 May 2013 19:58:24 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: XSS vulnerability in JW Player and JW Player Pro Hello list! I want to warn you about new XSS vulnerability in JW Player and JW Player Pro. Last year I've written about multiple Content Spoofing and Cross-Site Scripting vulnerabilities in JW Player and JW Player Pro, and this is new Cross-Site Scripting vulnerability (about which I've not wrote in 2012). In June I wrote about vulnerabilities in JW Player (http://securityvulns.ru/docs28176.html) and in August about vulnerabilities in licensed version of the player - JW Player Pro (http://securityvulns.ru/docs28483.html). This new vulnerability concerns both versions of the player, as I've verified. ------------------------- Affected products: ------------------------- Vulnerable are versions JW Player and JW Player Pro before 5.10.2393. Tested in 5.10.2295 and previous versions. The developers fixed this and two previous strictly social XSS holes in version 5.10.2393 at 20.08.2012. Note, that all versions of JW Player (with support of callbacks), including last 6.x versions, are still vulnerable to XSS via JS callbacks (as described in my first advisory). ------------------------- Affected vendors: ------------------------- LongTail Video http://longtailvideo.com ---------- Details: ---------- Earlier I've wrote about two strictly social XSS vulnerabilities in JW Player Pro in logo.link and aboutlink parameters (XSS payload executes after user's click). And in the middle of this week I've found similar hole in parameter link (which worked in both versions of JW Player), when came to developer's site (trac) to find out how they fixed these holes (since they haven't fixed strictly social XSS holes in May 2012, only reflected XSS hole). I supposed that they were aware about these holes, when I found them, since they had protection from javascript and vbscript URIs and I bypassed their protection with data URI (for previous two holes and this new hole). So they fixed all these holes in one patch in version 5.10.2393. XSS (WASC-08): http://site/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg For conducting this attack, besides using parameter link, it's needed to set parameters displayclick=link and file. If to set video in parameter file, then it must be address of existent video-file, but if to set image, then it can be arbitrary name of jpg-file (even non-existent). Names of the swf-file can be different: jwplayer.swf, player.swf or others. ------------ Timeline: ------------ 2012.05.25 - found vulnerabilities during pentest in JW Player (in version 5.7.1896 and tested in the last version from official site). 2012.05.29 - informed developers. 2012.05.29 - developers answered that most holes should be fixed in version 5.9.2206 (in trunk). 2012.05.31 - after checking, I've informed developers that in trunk only one XSS are fixed. Then they answered that they were planning to fix all other vulnerabilities in upcoming 6.0 version of the player. 2012.08.12 - found vulnerabilities at official web sites of one commercial CMS with JW Player Pro. 2012.08.18 - informed developers about holes in JW Player Pro. 2012.08.20 - developers fixed three strictly social XSS holes. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists