Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29525
HistoryJul 08, 2013 - 12:00 a.m.

Vulnerabilities in multiple plugins for WordPress with VideoJS

2013-07-0800:00:00
vulners.com
110

Hello 3APA3A!

These are Cross-Site Scripting vulnerabilities in multiple plugins for WordPress with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS (http://seclists.org/fulldisclosure/2013/May/21). This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. Google dork for VideoJS shows 446000 results and for WP plugins with it shows 178000 (inurl:video-js.swf inurl:wp-content/plugins/).

In addition to plugin VideoJS - HTML5 Video Player for WordPress (http://seclists.org/fulldisclosure/2013/May/35), about which I wrote earlier, here are new plugins with this player.

Among them are Video Embed & Thumbnail Generator, External "Video for Everybody", 1player, S3 Video and EasySqueezePage. But there are other vulnerable plugins for WP with video-js.swf (which can be found with above-mentioned Google dork). All developers of these plugins, the same as developers of all other web applications with VideoJS, need to update it in their software.


Affected products:

Video Embed & Thumbnail Generator 4.0.3 and previous versions.
External "Video for Everybody" 2.0 and previous versions.
1player 1.2 and previous versions.
S3 Video 0.97 and previous versions.
EasySqueezePage (all versions).

Vulnerable are web applications which are using VideoJS Flash Component 3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. So update to last version of VideoJS.swf.


Affected vendors:

Plugins' pages at WordPress plugins catalog:

Video Embed & Thumbnail Generator
http://wordpress.org/extend/plugins/video-embed-thumbnail-generator/
External "Video for Everybody"
http://wordpress.org/extend/plugins/external-video-for-everybody/
1player
http://wordpress.org/extend/plugins/1player/
S3 Video
http://wordpress.org/extend/plugins/s3-video/


Details:

Cross-Site Scripting (WASC-08):

Video Embed & Thumbnail Generator:
http://site/wp-content/plugins/video-embed-thumbnail-generator/video-js/video-js.swf?readyFunction=alert(document.cookie)
External "Video for Everybody":
http://site/wp-content/plugins/external-video-for-everybody/video-js/video-js.swf?readyFunction=alert(document.cookie)
1player:
http://site/wp-content/plugins/1player/players/video-js/video-js.swf?readyFunction=alert(document.cookie)
S3 Video:
http://site/wp-content/plugins/s3-video/misc/video-js.swf?readyFunction=alert(document.cookie)
EasySqueezePage:
http://site/wp-content/plugins/EasySqueezePage/videojs/video-js.swf?readyFunction=alert(document.cookie)


Timeline:

2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix.
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua