lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00d801cd80a7$ec583570$9b7a6fd5@ml>
Date: Wed, 22 Aug 2012 23:50:46 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities in JW Player Pro

Hello list!

I want to warn you about security vulnerabilities in JW Player Pro.

These are Content Spoofing and Cross-Site Scripting vulnerabilities.

In June I've wrote about vulnerabilities in JW Player
(http://securityvulns.ru/docs28176.html). And these are vulnerabilities in
licensed version of the player - JW Player Pro.

-------------------------
Affected products:
-------------------------

Vulnerable are JW Player Pro 5.10.2295 and previous versions (licensed
versions of JW Player).

The developers promised me to fix these vulnerabilities soon (in updated
version of 5.10 or in 5.11). All users of licensed version and web
developers, which distribute it with their software, are recommended to
upgrade to the latest version of the player.

----------
Details:
----------

Earlier I've wrote about vulnerabilities in JW Player and in the advisory
I've also mentioned two holes which concern only licensed version - Content
Spoofing and Cross-Site Scripting in logo feature. I had no swf-file of
licensed version and hadn't found it to check these holes, and after my ask
to developers to provided me with a link to any web site with it to verify
these vulnerabilities, they didn't do it (so I wrote supposed PoCs for these
holes). But in August I've found such licensed version of JW Player, checked
these holes and found that attacking code for XSS must be different, so I
created new attack code for XSS.

XSS (WASC-08):

Concerning one previous vulnerability. The swf-file has protection against
javascript: and vbscript: URIs, so data: URI must be used.

http://site/jwplayer.swf?file=1.flv&logo.file=1.jpg&logo.link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

And here are two new vulnerabilities.

Content Spoofing (WASC-12):

http://site/jwplayer.swf?abouttext=Player&aboutlink=http://site

XSS (WASC-08):

http://site/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Names of the swf-file can be different: jwplayer.swf, player.swf or others.

------------
Timeline:
------------ 

2012.08.12 - found vulnerabilities at official web sites of one commercial
CMS with JW Player Pro.
2012.08.16 - informed developers of CMS about all previous holes in JW
Player (which they haven't fixed since end of May, when part of the holes
were fixed).
2012.08.17 - informed developers of CMS about new holes.
2012.08.18 - informed developers of JW Player.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists