Hello list!

I want to warn you about new XSS vulnerability in JW Player and JW Player
Pro.

Last year I've written about multiple Content Spoofing and Cross-Site
Scripting vulnerabilities in JW Player and JW Player Pro, and this is new
Cross-Site Scripting vulnerability (about which I've not wrote in 2012). In
June I wrote about vulnerabilities in JW Player
(http://securityvulns.ru/docs28176.html) and in August about vulnerabilities
in licensed version of the player - JW Player Pro
(http://securityvulns.ru/docs28483.html). This new vulnerability concerns
both versions of the player, as I've verified.

-------------------------
Affected products:
-------------------------

Vulnerable are versions JW Player and JW Player Pro before 5.10.2393. Tested
in 5.10.2295 and previous versions.

The developers fixed this and two previous strictly social XSS holes in
version 5.10.2393 at 20.08.2012. Note, that all versions of JW Player (with
support of callbacks), including last 6.x versions, are still vulnerable to
XSS via JS callbacks (as described in my first advisory).

-------------------------
Affected vendors:
-------------------------

LongTail Video
http://longtailvideo.com

----------
Details:
----------

Earlier I've wrote about two strictly social XSS vulnerabilities in JW
Player Pro in logo.link and aboutlink parameters (XSS payload executes after
user's click). And in the middle of this week I've found similar hole in
parameter link (which worked in both versions of JW Player), when came to
developer's site (trac) to find out how they fixed these holes (since they
haven't fixed strictly social XSS holes in May 2012, only reflected XSS
hole). I supposed that they were aware about these holes, when I found them,
since they had protection from javascript and vbscript URIs and I bypassed
their protection with data URI (for previous two holes and this new hole).
So they fixed all these holes in one patch in version 5.10.2393.

XSS (WASC-08):

http://site/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg

For conducting this attack, besides using parameter link, it's needed to set
parameters displayclick=link and file. If to set video in parameter file,
then it must be address of existent video-file, but if to set image, then it
can be arbitrary name of jpg-file (even non-existent).

Names of the swf-file can be different: jwplayer.swf, player.swf or others.

------------
Timeline:
------------ 

2012.05.25 - found vulnerabilities during pentest in JW Player (in version
5.7.1896 and tested in the last version from official site).
2012.05.29 - informed developers.
2012.05.29 - developers answered that most holes should be fixed in version
5.9.2206 (in trunk).
2012.05.31 - after checking, I've informed developers that in trunk only one
XSS are fixed. Then they answered that they were planning to fix all other
vulnerabilities in upcoming 6.0 version of the player.
2012.08.12 - found vulnerabilities at official web sites of one commercial
CMS with JW Player Pro.
2012.08.18 - informed developers about holes in JW Player Pro.
2012.08.20 - developers fixed three strictly social XSS holes.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua