what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VideoJS Cross Site Scripting

VideoJS Cross Site Scripting
Posted May 6, 2013
Authored by MustLive

VideoJS suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 139174ef78c5cd7005b493eea97a84315c36e8d0deb9be083d494629a3bc8d5d

VideoJS Cross Site Scripting

Change Mirror Download
Hello list!

I want to inform you about vulnerabilities in VideoJS. This is popular video
and audio player, which is used at hundreds thousands of web sites and in
multiple web applications.

This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS
hole related to this player, which I've found at 27.01.2013 at vine.co,
which was using VideoJS Flash Component v3.0 (http://vine.co/v/b5HpgZT3ZwL).
Which concerned with Flash Player, Adobe fixed it already at 12th of
February.

More information is in my advisory for DoS vulnerability in Adobe Flash
Player (http://seclists.org/fulldisclosure/2013/Apr/9). Here is my video
demonstration of BSOD in Adobe Flash in Mozilla Firefox with using VideoJS
(http://www.youtube.com/watch?v=xi29KZ3LD80).

-------------------------
Affected products:
-------------------------

Vulnerable are versions before VideoJS Flash Component 3.0.2 and VideoJS
4.0. Versions VideoJS Flash Component 3.0.2 and VideoJS 4.0 are not
vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be
read in repository on github). Also there are bypass methods which work in
the last version, but the developers haven't fixed them due to their low
impact. This week developers are planning to officially release VideoJS 4.0
(but swf-file with fixed XSS hole is already available at video.js and
video-js-swf repositories on github).

Updated version of VideoJS.swf is available in the next repositories:

https://github.com/videojs/video-js-swf
https://github.com/MustLive/video-js-swf

-------------------------
Affected vendors:
-------------------------

Earlier Zencoder, now Brightcove
http://videojs.com

----------
Details:
----------

Cross-Site Scripting (WASC-08):

http://site/video-js.swf?readyFunction=alert(document.cookie)

But the fix in VideoJS Flash Component 3.0.2 is not protecting from the next
attacks:

http://site/video-js.swf?readyFunction=alert

http://site/video-js.swf?readyFunction=prompt

http://site/video-js.swf?readyFunction=confirm

Which are small ones and the developers don't worry about them, so after
I've drawn their attention last week on incomplete fix, they still released
such fix. But they will think about improving their protection in the future
versions.

------------
Timeline:
------------

2013.01.27 - found DoS (BSOD) vulnerability.
2013.01.28 - recorded video PoC. And in the night have informed Adobe.
2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They
thanked and promised to fix it.
2013.02.12 - Adobe fixed DoS vulnerability.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the
fix.
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored
the hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And
made my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding)
and uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed
the hole completely and informed them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close