FYI, for you browser security afficinados...
-----Original Message-----
From: Full-Disclosure [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of MustLive
Sent: Sunday, May 05, 2013 8:58 AM
To: submissions@packetstormsecurity.org; full-disclosure@lists.grok.org.uk; 1337 Exploit DataBase
Subject: [Full-disclosure] XSS vulnerability in JW Player and JW Player Pro
Hello list!
I want to warn you about new XSS vulnerability in JW Player and JW Player Pro.
Last year I've written about multiple Content Spoofing and Cross-Site Scripting vulnerabilities in JW Player and JW Player Pro, and this is new Cross-Site Scripting vulnerability (about which I've not wrote in 2012). In June I wrote about vulnerabilities in JW Player
(http://securityvulns.ru/docs28176.html) and in August about vulnerabilities in licensed version of the player - JW Player Pro (http://securityvulns.ru/docs28483.html). This new vulnerability concerns both versions of the player, as I've verified.
-------------------------
Affected products:
-------------------------
Vulnerable are versions JW Player and JW Player Pro before 5.10.2393. Tested in 5.10.2295 and previous versions.
The developers fixed this and two previous strictly social XSS holes in version 5.10.2393 at 20.08.2012. Note, that all versions of JW Player (with support of callbacks), including last 6.x versions, are still vulnerable to XSS via JS callbacks (as described in my first advisory).
-------------------------
Affected vendors:
-------------------------
LongTail Video
http://longtailvideo.com
----------
Details:
----------
Earlier I've wrote about two strictly social XSS vulnerabilities in JW Player Pro in logo.link and aboutlink parameters (XSS payload executes after user's click). And in the middle of this week I've found similar hole in parameter link (which worked in both versions of JW Player), when came to developer's site (trac) to find out how they fixed these holes (since they haven't fixed strictly social XSS holes in May 2012, only reflected XSS hole). I supposed that they were aware about these holes, when I found them, since they had protection from javascript and vbscript URIs and I bypassed their protection with data URI (for previous two holes and this new hole).
So they fixed all these holes in one patch in version 5.10.2393.
XSS (WASC-08):
For conducting this attack, besides using parameter link, it's needed to set parameters displayclick=link and file. If to set video in parameter file, then it must be address of existent video-file, but if to set image, then it can be arbitrary name of jpg-file (even non-existent).
Names of the swf-file can be different: jwplayer.swf, player.swf or others.
------------
Timeline:
------------
2012.05.25 - found vulnerabilities during pentest in JW Player (in version
5.7.1896 and tested in the last version from official site).
2012.05.29 - informed developers.
2012.05.29 - developers answered that most holes should be fixed in version
5.9.2206 (in trunk).
2012.05.31 - after checking, I've informed developers that in trunk only one XSS are fixed. Then they answered that they were planning to fix all other vulnerabilities in upcoming 6.0 version of the player.
2012.08.12 - found vulnerabilities at official web sites of one commercial CMS with JW Player Pro.
2012.08.18 - informed developers about holes in JW Player Pro.
2012.08.20 - developers fixed three strictly social XSS holes.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon May 6 12:28:14 2013
This archive was generated by hypermail 2.1.8 : Mon May 06 2013 - 12:28:14 AKDT
