Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29315
HistoryMay 06, 2013 - 12:00 a.m.

Vulnerabilities in multiple plugins for WordPress with jPlayer

2013-05-0600:00:00
vulners.com
24
JSON

Hello 3APA3A!

I want to inform you about multiple vulnerabilities in multiple plugins for WordPress with jPlayer. These are Cross-Site Scripting and Content Spoofing and vulnerabilities.

I've wrote about vulnerabilities in jPlayer earlier (http://seclists.org/fulldisclosure/2013/Apr/192). jPlayer is used in multiple web applications and particularly in multiple plugins for WordPress. Google dork for jPlayer shows 32000 results and for WP plugins with it shows 239000 (inurl:Jplayer.swf inurl:/wp-content/plugins/).

Among them are MP3-jPlayer, Haiku minimalist audio player, Background Music, Jammer and WP jPlayer. These five plugins placed in WordPress plugins catalog with tag "jplayer", But there are other vulnerable plugins for WP with Jplayer.swf (which can be found with above-mentioned Google dork). All developers of these plugins, the same as developers of all other web applications with jPlayer, need to update it in their software.

Affected products:

MP3-jPlayer 1.8.3 and previous versions.
Haiku minimalist audio player 1.0.0 and previous versions.
Background Music 1.0 and previous versions.
Jammer 0.2 and previous versions.
WP jPlayer 0.1 and previous versions.

Vulnerabilities are in jPlayer versions before 2.2.23. Version 2.2.23 and the last released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS and XSS via JS callbacks. Also there are other bypass methods which work in version 2.3.0, but the developers haven't fixed them besides attack via alert. About that I've wrote to developers already in March and reminded again. So wait for new version with fixing of these vulnerabilities.

Affected vendors:

Plugins' pages at WordPress plugins catalog:

MP3-jPlayer
http://wordpress.org/extend/plugins/mp3-jplayer/
Haiku minimalist audio player
http://wordpress.org/extend/plugins/haiku-minimalist-audio-player/
Background Music
http://wordpress.org/extend/plugins/background-music/
Jammer
http://wordpress.org/extend/plugins/jammer/
WP jPlayer
http://wordpress.org/extend/plugins/wp-jplayer/

Details:

Cross-Site Scripting (WASC-08):

In different versions of jPlayer there are different XSS vulnerabilities (see in the first advisory) and different WP plugins has different versions of jPlayer.

MP3-jPlayer:

http:/site/wp-content/plugins/mp3-jplayer/js/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E

Haiku minimalist audio player:

http:/site/wp-content/plugins/haiku-minimalist-audio-player/js/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E

Background Music:

http:/site/wp-content/plugins/background-music/js/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E

Jammer:

http:/site/wp-content/plugins/jammer/files/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alert\u0028document.cookie\u0029%3E

WP jPlayer:

http:/site/wp-content/plugins/wp-jplayer/assets/js/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http:/site/wp-content/plugins/wp-jplayer/assets/js/Jplayer.swf?id='))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

Content Spoofing (WASC-12):

It's possible to conduct CS (inclusion of audio/video files from external resources) via JS and XSS via JS callbacks. This requires HTML Injection vulnerability at the site. The attack is similar to XSS attacks via callbacks in JW Player (http://securityvulns.ru/docs28176.html).

Because this attack vector requires separate vulnerability at target site to conduct CS and XSS attacks with using of jPlayer, the developers didn't do anything to fix it. The same as developers JW Player. So protection from this attack scenario lies solely on web sites owners.

Timeline:

2013.03.19 - informed developers of jPlayer.
2013.04.20 - developers released jPlayer 2.3.0 (http://www.jplayer.org/2.3.0/release-notes/) and informed me.
2013.04.21 - informed developers of MP3-jPlayer, Haiku minimalist audio player and WP jPlayer (from five developers only these three had contact information).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON