lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <00d801cd80a7$ec583570$9b7a6fd5@ml> Date: Wed, 22 Aug 2012 23:50:46 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Vulnerabilities in JW Player Pro Hello list! I want to warn you about security vulnerabilities in JW Player Pro. These are Content Spoofing and Cross-Site Scripting vulnerabilities. In June I've wrote about vulnerabilities in JW Player (http://securityvulns.ru/docs28176.html). And these are vulnerabilities in licensed version of the player - JW Player Pro. ------------------------- Affected products: ------------------------- Vulnerable are JW Player Pro 5.10.2295 and previous versions (licensed versions of JW Player). The developers promised me to fix these vulnerabilities soon (in updated version of 5.10 or in 5.11). All users of licensed version and web developers, which distribute it with their software, are recommended to upgrade to the latest version of the player. ---------- Details: ---------- Earlier I've wrote about vulnerabilities in JW Player and in the advisory I've also mentioned two holes which concern only licensed version - Content Spoofing and Cross-Site Scripting in logo feature. I had no swf-file of licensed version and hadn't found it to check these holes, and after my ask to developers to provided me with a link to any web site with it to verify these vulnerabilities, they didn't do it (so I wrote supposed PoCs for these holes). But in August I've found such licensed version of JW Player, checked these holes and found that attacking code for XSS must be different, so I created new attack code for XSS. XSS (WASC-08): Concerning one previous vulnerability. The swf-file has protection against javascript: and vbscript: URIs, so data: URI must be used. http://site/jwplayer.swf?file=1.flv&logo.file=1.jpg&logo.link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B And here are two new vulnerabilities. Content Spoofing (WASC-12): http://site/jwplayer.swf?abouttext=Player&aboutlink=http://site XSS (WASC-08): http://site/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Names of the swf-file can be different: jwplayer.swf, player.swf or others. ------------ Timeline: ------------ 2012.08.12 - found vulnerabilities at official web sites of one commercial CMS with JW Player Pro. 2012.08.16 - informed developers of CMS about all previous holes in JW Player (which they haven't fixed since end of May, when part of the holes were fixed). 2012.08.17 - informed developers of CMS about new holes. 2012.08.18 - informed developers of JW Player. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists