Vulners
Lucene search
JW Player Pro 5.10.2295 Spoofing / Cross Site Scripting
`Hello list!
I want to warn you about security vulnerabilities in JW Player Pro.
These are Content Spoofing and Cross-Site Scripting vulnerabilities.
In June I've wrote about vulnerabilities in JW Player
(http://securityvulns.ru/docs28176.html). And these are vulnerabilities in
licensed version of the player - JW Player Pro.
-------------------------
Affected products:
-------------------------
Vulnerable are JW Player Pro 5.10.2295 and previous versions (licensed
versions of JW Player).
The developers promised me to fix these vulnerabilities soon (in updated
version of 5.10 or in 5.11). All users of licensed version and web
developers, which distribute it with their software, are recommended to
upgrade to the latest version of the player.
----------
Details:
----------
Earlier I've wrote about vulnerabilities in JW Player and in the advisory
I've also mentioned two holes which concern only licensed version - Content
Spoofing and Cross-Site Scripting in logo feature. I had no swf-file of
licensed version and hadn't found it to check these holes, and after my ask
to developers to provided me with a link to any web site with it to verify
these vulnerabilities, they didn't do it (so I wrote supposed PoCs for these
holes). But in August I've found such licensed version of JW Player, checked
these holes and found that attacking code for XSS must be different, so I
created new attack code for XSS.
XSS (WASC-08):
Concerning one previous vulnerability. The swf-file has protection against
javascript: and vbscript: URIs, so data: URI must be used.
http://site/jwplayer.swf?file=1.flv&logo.file=1.jpg&logo.link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
And here are two new vulnerabilities.
Content Spoofing (WASC-12):
http://site/jwplayer.swf?abouttext=Player&aboutlink=http://site
XSS (WASC-08):
http://site/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
Names of the swf-file can be different: jwplayer.swf, player.swf or others.
------------
Timeline:
------------
2012.08.12 - found vulnerabilities at official web sites of one commercial
CMS with JW Player Pro.
2012.08.16 - informed developers of CMS about all previous holes in JW
Player (which they haven't fixed since end of May, when part of the holes
were fixed).
2012.08.17 - informed developers of CMS about new holes.
2012.08.18 - informed developers of JW Player.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Aug 2012 00:00Current