lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 08 May 2013 12:26:19 -0400
From: illwill <illwill@...mob.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Vulnerabilities in VideoJS

learn to fucking internet.

        -illwill
illwill@...mob.org
http://illmob.org






On 5/7/2013 11:09 AM, Ron Yount wrote:
> Please unsubscribe.  Address to be inactive
>
> -----Original Message-----
> From: Full-Disclosure [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of MustLive
> Sent: Monday, May 6, 2013 4:45 PM
> To: submissions@...ketstormsecurity.org; full-disclosure@...ts.grok.org.uk; 1337 Exploit DataBase
> Subject: [Full-disclosure] Vulnerabilities in VideoJS
>
> Hello list!
>
> I want to inform you about vulnerabilities in VideoJS. This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications.
>
> This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole related to this player, which I've found at 27.01.2013 at vine.co, which was using VideoJS Flash Component v3.0 (http://vine.co/v/b5HpgZT3ZwL).
> Which concerned with Flash Player, Adobe fixed it already at 12th of February.
>
> More information is in my advisory for DoS vulnerability in Adobe Flash Player (http://seclists.org/fulldisclosure/2013/Apr/9). Here is my video demonstration of BSOD in Adobe Flash in Mozilla Firefox with using VideoJS (http://www.youtube.com/watch?v=xi29KZ3LD80).
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are versions before VideoJS Flash Component 3.0.2 and VideoJS 4.0. Versions VideoJS Flash Component 3.0.2 and VideoJS 4.0 are not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. This week developers are planning to officially release VideoJS 4.0 (but swf-file with fixed XSS hole is already available at video.js and video-js-swf repositories on github).
>
> Updated version of VideoJS.swf is available in the next repositories:
>
> https://github.com/videojs/video-js-swf
> https://github.com/MustLive/video-js-swf
>
> -------------------------
> Affected vendors:
> -------------------------
>
> Earlier Zencoder, now Brightcove
> http://videojs.com
>
> ----------
> Details:
> ----------
>
> Cross-Site Scripting (WASC-08):
>
> http://site/video-js.swf?readyFunction=alert(document.cookie)
>
> But the fix in VideoJS Flash Component 3.0.2 is not protecting from the next
> attacks:
>
> http://site/video-js.swf?readyFunction=alert
>
> http://site/video-js.swf?readyFunction=prompt
>
> http://site/video-js.swf?readyFunction=confirm
>
> Which are small ones and the developers don't worry about them, so after I've drawn their attention last week on incomplete fix, they still released such fix. But they will think about improving their protection in the future versions.
>
> ------------
> Timeline:
> ------------ 
>
> 2013.01.27 - found DoS (BSOD) vulnerability.
> 2013.01.28 - recorded video PoC. And in the night have informed Adobe.
> 2013.02.07 - found XSS vulnerability.
> 2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it.
> 2013.02.12 - Adobe fixed DoS vulnerability.
> 2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix.
> 2013.03.09 - again reminded developers.
> 2013.03.26 - again reminded developers.
> 2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months).
> 2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole.
> 2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github.
> 2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories.
> 2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua 
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

Download attachment "ehgbijga.jpg" of type "image/jpeg" (2300 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ