JW Player / JW Player Pro 5.x Cross Site Scripting

`Hello list!  
  
I want to warn you about new XSS vulnerability in JW Player and JW Player  
Pro.  
  
Last year I've written about multiple Content Spoofing and Cross-Site  
Scripting vulnerabilities in JW Player and JW Player Pro, and this is new  
Cross-Site Scripting vulnerability (about which I've not wrote in 2012). In  
June I wrote about vulnerabilities in JW Player  
(http://securityvulns.ru/docs28176.html) and in August about vulnerabilities  
in licensed version of the player - JW Player Pro  
(http://securityvulns.ru/docs28483.html). This new vulnerability concerns  
both versions of the player, as I've verified.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are versions JW Player and JW Player Pro before 5.10.2393. Tested  
in 5.10.2295 and previous versions.  
  
The developers fixed this and two previous strictly social XSS holes in  
version 5.10.2393 at 20.08.2012. Note, that all versions of JW Player (with  
support of callbacks), including last 6.x versions, are still vulnerable to  
XSS via JS callbacks (as described in my first advisory).  
  
-------------------------  
Affected vendors:  
-------------------------  
  
LongTail Video  
http://longtailvideo.com  
  
----------  
Details:  
----------  
  
Earlier I've wrote about two strictly social XSS vulnerabilities in JW  
Player Pro in logo.link and aboutlink parameters (XSS payload executes after  
user's click). And in the middle of this week I've found similar hole in  
parameter link (which worked in both versions of JW Player), when came to  
developer's site (trac) to find out how they fixed these holes (since they  
haven't fixed strictly social XSS holes in May 2012, only reflected XSS  
hole). I supposed that they were aware about these holes, when I found them,  
since they had protection from javascript and vbscript URIs and I bypassed  
their protection with data URI (for previous two holes and this new hole).  
So they fixed all these holes in one patch in version 5.10.2393.  
  
XSS (WASC-08):  
  
http://site/player.swf?displayclick=link&link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&file=1.jpg  
  
For conducting this attack, besides using parameter link, it's needed to set  
parameters displayclick=link and file. If to set video in parameter file,  
then it must be address of existent video-file, but if to set image, then it  
can be arbitrary name of jpg-file (even non-existent).  
  
Names of the swf-file can be different: jwplayer.swf, player.swf or others.  
  
------------  
Timeline:  
------------   
  
2012.05.25 - found vulnerabilities during pentest in JW Player (in version  
5.7.1896 and tested in the last version from official site).  
2012.05.29 - informed developers.  
2012.05.29 - developers answered that most holes should be fixed in version  
5.9.2206 (in trunk).  
2012.05.31 - after checking, I've informed developers that in trunk only one  
XSS are fixed. Then they answered that they were planning to fix all other  
vulnerabilities in upcoming 6.0 version of the player.  
2012.08.12 - found vulnerabilities at official web sites of one commercial  
CMS with JW Player Pro.  
2012.08.18 - informed developers about holes in JW Player Pro.  
2012.08.20 - developers fixed three strictly social XSS holes.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`