Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28483
HistorySep 03, 2012 - 12:00 a.m.

Vulnerabilities in JW Player Pro

2012-09-0300:00:00
vulners.com
72

Hello 3APA3A!

I want to warn you about security vulnerabilities in JW Player Pro.

These are Content Spoofing and Cross-Site Scripting vulnerabilities.

In June I've wrote about vulnerabilities in JW Player (http://securityvulns.ru/docs28176.html). And these are vulnerabilities in licensed version of the player - JW Player Pro.


Affected products:

Vulnerable are JW Player Pro 5.10.2295 and previous versions (licensed versions of JW Player).

The developers promised me to fix these vulnerabilities soon (in updated version of 5.10 or in 5.11). All users of licensed version and web developers, which distribute it with their software, are recommended to upgrade to the latest version of the player.


Details:

Earlier I've wrote about vulnerabilities in JW Player and in the advisory I've also mentioned two holes which concern only licensed version - Content Spoofing and Cross-Site Scripting in logo feature. I had no swf-file of licensed version and hadn't found it to check these holes, and after my ask to developers to provided me with a link to any web site with it to verify these vulnerabilities, they didn't do it (so I wrote supposed PoCs for these holes). But in August I've found such licensed version of JW Player, checked these holes and found that attacking code for XSS must be different, so I created new attack code for XSS.

XSS (WASC-08):

Concerning one previous vulnerability. The swf-file has protection against javascript: and vbscript: URIs, so data: URI must be used.

http://site/jwplayer.swf?file=1.flv&logo.file=1.jpg&logo.link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

And here are two new vulnerabilities.

Content Spoofing (WASC-12):

http://site/jwplayer.swf?abouttext=Player&aboutlink=http://site

XSS (WASC-08):

http://site/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Names of the swf-file can be different: jwplayer.swf, player.swf or others.


Timeline:

2012.08.12 - found vulnerabilities at official web sites of one commercial CMS with JW Player Pro.
2012.08.16 - informed developers of CMS about all previous holes in JW Player (which they haven't fixed since end of May, when part of the holes were fixed).
2012.08.17 - informed developers of CMS about new holes.
2012.08.18 - informed developers of JW Player.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua