JW Player Pro 5.10.2295 Spoofing / Cross Site Scripting

2012-08-22T00:00:00
ID PACKETSTORM:115792
Type packetstorm
Reporter MustLive
Modified 2012-08-22T00:00:00

Description

                                        
                                            `Hello list!  
  
I want to warn you about security vulnerabilities in JW Player Pro.  
  
These are Content Spoofing and Cross-Site Scripting vulnerabilities.  
  
In June I've wrote about vulnerabilities in JW Player  
(http://securityvulns.ru/docs28176.html). And these are vulnerabilities in  
licensed version of the player - JW Player Pro.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are JW Player Pro 5.10.2295 and previous versions (licensed  
versions of JW Player).  
  
The developers promised me to fix these vulnerabilities soon (in updated  
version of 5.10 or in 5.11). All users of licensed version and web  
developers, which distribute it with their software, are recommended to  
upgrade to the latest version of the player.  
  
----------  
Details:  
----------  
  
Earlier I've wrote about vulnerabilities in JW Player and in the advisory  
I've also mentioned two holes which concern only licensed version - Content  
Spoofing and Cross-Site Scripting in logo feature. I had no swf-file of  
licensed version and hadn't found it to check these holes, and after my ask  
to developers to provided me with a link to any web site with it to verify  
these vulnerabilities, they didn't do it (so I wrote supposed PoCs for these  
holes). But in August I've found such licensed version of JW Player, checked  
these holes and found that attacking code for XSS must be different, so I  
created new attack code for XSS.  
  
XSS (WASC-08):  
  
Concerning one previous vulnerability. The swf-file has protection against  
javascript: and vbscript: URIs, so data: URI must be used.  
  
http://site/jwplayer.swf?file=1.flv&logo.file=1.jpg&logo.link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B  
  
And here are two new vulnerabilities.  
  
Content Spoofing (WASC-12):  
  
http://site/jwplayer.swf?abouttext=Player&aboutlink=http://site  
  
XSS (WASC-08):  
  
http://site/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B  
  
Names of the swf-file can be different: jwplayer.swf, player.swf or others.  
  
------------  
Timeline:  
------------   
  
2012.08.12 - found vulnerabilities at official web sites of one commercial  
CMS with JW Player Pro.  
2012.08.16 - informed developers of CMS about all previous holes in JW  
Player (which they haven't fixed since end of May, when part of the holes  
were fixed).  
2012.08.17 - informed developers of CMS about new holes.  
2012.08.18 - informed developers of JW Player.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua  
  
`