what you don't know can hurt you

JW Player Pro 5.10.2295 Spoofing / Cross Site Scripting

JW Player Pro 5.10.2295 Spoofing / Cross Site Scripting
Posted Aug 22, 2012
Authored by MustLive

JW Player Pro versions 5.10.2295 and below suffers from cross site scripting and content spoofing vulnerabilities.

tags | exploit, spoof, vulnerability, xss
MD5 | 3e6326a56e03e90666946701fc7e1991

JW Player Pro 5.10.2295 Spoofing / Cross Site Scripting

Change Mirror Download
Hello list!

I want to warn you about security vulnerabilities in JW Player Pro.

These are Content Spoofing and Cross-Site Scripting vulnerabilities.

In June I've wrote about vulnerabilities in JW Player
(http://securityvulns.ru/docs28176.html). And these are vulnerabilities in
licensed version of the player - JW Player Pro.

-------------------------
Affected products:
-------------------------

Vulnerable are JW Player Pro 5.10.2295 and previous versions (licensed
versions of JW Player).

The developers promised me to fix these vulnerabilities soon (in updated
version of 5.10 or in 5.11). All users of licensed version and web
developers, which distribute it with their software, are recommended to
upgrade to the latest version of the player.

----------
Details:
----------

Earlier I've wrote about vulnerabilities in JW Player and in the advisory
I've also mentioned two holes which concern only licensed version - Content
Spoofing and Cross-Site Scripting in logo feature. I had no swf-file of
licensed version and hadn't found it to check these holes, and after my ask
to developers to provided me with a link to any web site with it to verify
these vulnerabilities, they didn't do it (so I wrote supposed PoCs for these
holes). But in August I've found such licensed version of JW Player, checked
these holes and found that attacking code for XSS must be different, so I
created new attack code for XSS.

XSS (WASC-08):

Concerning one previous vulnerability. The swf-file has protection against
javascript: and vbscript: URIs, so data: URI must be used.

http://site/jwplayer.swf?file=1.flv&logo.file=1.jpg&logo.link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

And here are two new vulnerabilities.

Content Spoofing (WASC-12):

http://site/jwplayer.swf?abouttext=Player&aboutlink=http://site

XSS (WASC-08):

http://site/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Names of the swf-file can be different: jwplayer.swf, player.swf or others.

------------
Timeline:
------------

2012.08.12 - found vulnerabilities at official web sites of one commercial
CMS with JW Player Pro.
2012.08.16 - informed developers of CMS about all previous holes in JW
Player (which they haven't fixed since end of May, when part of the holes
were fixed).
2012.08.17 - informed developers of CMS about new holes.
2012.08.18 - informed developers of JW Player.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    19 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close