Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29316
HistoryMay 06, 2013 - 12:00 a.m.

Vulnerabilities in jPlayer

2013-05-0600:00:00
vulners.com
59

Hello 3APA3A!

I want to inform you about multiple vulnerabilities in jPlayer. These are Cross-Site Scripting and Content Spoofing and vulnerabilities in jPlayer. Which is used at tens thousands of web sites and in multiple web applications.


Affected products:

Vulnerable are versions before jPlayer 2.2.23. Version 2.2.23 and the last released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS and XSS via JS callbacks. Also there are other bypass methods which work in version 2.3.0, but the developers haven't fixed them besides attack via alert. About that I've wrote to developers already in March and reminded again. So wait for new version with fixing of these vulnerabilities.


Affected vendors:

Happyworm
http://www.jplayer.org


Details:

Cross-Site Scripting (WASC-08):

In different versions of jPlayer there are different XSS vulnerabilities.

0.2.1 - 1.2.0:

http:/site/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

2.0.0:

http:/site/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

2.1.0:

http:/site/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

http:/site/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//

In version 2.2.0 these XSS vulnerabilities were fixed (the developers was informed about hole in jQuery parameter and made a fix, which protected from both attacks). But Malte Batram (in version 2.2.19) and I (in version 2.2.20) have found new ones.

2.2.0 - 2.2.19 (and previous versions):

Attack works in Firefox (all versions and browsers on Gecko engine), IE6 and Opera 10.62.

http:/site/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alertu0028document.cookieu0029%3E

2.2.20 - 2.2.22 (and previous versions):

http:/site/Jplayer.swf?jQuery=alert&id=XSS

Content Spoofing (WASC-12):

It's possible to conduct CS (inclusion of audio/video files from external resources) via JS and XSS via JS callbacks. This requires HTML Injection vulnerability at the site. The attack is similar to XSS attacks via callbacks in JW Player (http://securityvulns.ru/docs28176.html).

Because this attack vector requires separate vulnerability at target site to conduct CS and XSS attacks with using of jPlayer, the developers didn't do anything to fix it. The same as developers JW Player. So protection from this attack scenario lies solely on web sites owners.


Timeline:

2013.01.31 - found vulnerabilities in jPlayer at multiple web sites (in version 2.1.0).
2013.03.14 - announced at my site.
2013.03.19 - informed developers.
2013.03.19-30 - discussed with developers different vulnerabilities in different versions of jPlayer and at their sites.
2013.03.21 - developers was informed by Malte Batram's about XSS hole in 2.2.19.
2013.03.21 - developers fixed Malte's XSS hole in 2.2.20 in github (CVE-2013-1942).
2013.03.22 - informed developers about new hole, which works in 2.2.20.
2013.03.23 - sent details of new XSS and warned about possibility for other XSS attacks and gave recommendations about proper fixing of XSS to prevent any future XSS.
2013.03.30 - reminded developers about last hole.
2013.04.12 - developers fixed my XSS hole in 2.2.23 in github.
2013.04.20 - developers released jPlayer 2.3.0 (http://www.jplayer.org/2.3.0/release-notes/) and informed me.
2013.04.20 - disclosed at my site about jPlayer (http://websecurity.com.ua/6379/).
2013.04.21 - tested version 2.3.0 and found that developers fixed only one attack vector and didn't make complete fix, as I recommended in March, so I reminded them and sent them examples of two new XSS.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Related for SECURITYVULNS:DOC:29316