Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30226
HistoryJan 09, 2014 - 12:00 a.m.

Vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer

2014-01-0900:00:00
vulners.com
8

Hello 3APA3A!

These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer. Earlier I wrote about vulnerabilities in Dewplayer (http://seclists.org/fulldisclosure/2013/Dec/192). This is media player, which is used at thousands web sites and in multiple web applications. There are near 422 000 web sites with dewplayer.swf in Google's index. And it's just one file name and there are other file names of this player (such as dewplayer-en.swf and others).

This flash media player is used in the next plugins: Dewplayer WordPress plugin, JosDewplayer and mosdewplayer for Joomla and collective.dewplayer for Plone. Also there can be other plugins with Dewplayer.


Affected products:

Vulnerable are the next web applications: Dewplayer WordPress plugin 1.2 and previous versions, JosDewplayer 2.0 and previous versions, all versions of mosdewplayer, collective.dewplayer 1.2 and previous versions.

Vulnerable are web applications which are using Dewplayer 2.2.2 and previous versions.


Affected vendors:

Plugins for different CMS with Dewplayer:

http://wordpress.org/extend/plugins/dewplayer-flash-mp3-player/

http://extensions.joomla.org/extensions/multimedia/audio-players-a-gallery/4779

http://plone.org/products/collective.dewplayer


Details:

These are examples of some vulnerabilities in Dewplayer, examples of all ะกS and XSS vulnerabilities see in above-mentioned advisory.

Dewplayer for WordPress:

Plugin contains the next flash-files: dewplayer.swf, dewplayer-mini.swf, dewplayer-multi.swf. All of them have CS holes.

Content Spoofing (Content Injection) (WASC-12):

http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?mp3=1.mp3

http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?file=1.mp3

http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?sound=1.mp3

http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?son=1.mp3

Full path disclosure (WASC-13):

http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.php

JosDewplayer and mosdewplayer:

Plugin JosDewplayer is based on mosdewplayer, so holes must be similar in them.

Plugin contains the next flash-files: dewplayer.swf, dewplayer-multi.swf, dewplayer-playlist.swf, dewplayer-rect.swf. All of them have CS holes.

http://site/plugins/content/josdewplayer/dewplayer.swf

collective.dewplayer:

Plugin contains the next flash-files: dewplayer-mini.swf, dewplayer.swf, dewplayer-multi.swf, dewplayer-rect.swf, dewplayer-playlist.swf, dewplayer-bubble.swf, dewplayer-vinyl.swf. All of these flash-files have CS holes and dewplayer-vinyl.swf also has XSS holes.

The path at web site can be different:

http://site/files/++resource++collective.dewplayer/dewplayer.swf

Content Spoofing (Content Injection) (WASC-12):

http://site/path/dewplayer.swf?mp3=1.mp3

XSS (WASC-08):

http://site/path/dewplayer-vinyl.swf?xml=xss.xml

xss.xml

<playlist version="1">
<trackList>
<track>
<location>javascript:alert(document.cookie)</location>
<title>XSS</title>
</track>
</trackList>
</playlist>


Timeline:

2013.10.25 - announced at my site.
2013.10.26 - informed developers.
2013.12.19 - disclosed at my site about Dewplayer.
2013.12.24 - disclosed at my site about plugins (http://websecurity.com.ua/6931/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua