[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Vulnerabilities in VideoJS

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Vulnerabilities in VideoJS
From: illwill <illwill@xxxxxxxxxx>
Date: Wed, 08 May 2013 12:26:19 -0400

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">learn to fucking internet.<br>
      <br>
      <div class="moz-signature">
        <meta http-equiv="content-type" content="text/html;
          charset=ISO-8859-1">
        <title></title>
        <small><small>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -illwill<br>
            <a class="moz-txt-link-abbreviated" 
href="mailto:illwill@xxxxxxxxxx";>illwill@xxxxxxxxxx</a><br>
            <a class="moz-txt-link-freetext" 
href="http://illmob.org";>http://illmob.org</a></small></small><br>
        <img src="cid:part1.06010502.03040100@illmob.org" alt=""><br>
        <br>
        <br>
        <br>
        <br>
        <br>
      </div>
      On 5/7/2013 11:09 AM, Ron Yount wrote:<br>
    </div>
    <blockquote
cite="mid:6213D303F205454F8AC13C9331AC8C822F3AE6A532@xxxxxxxxxxxxxxxxxxxxx"
      type="cite">
      <pre wrap="">Please unsubscribe.  Address to be inactive

-----Original Message-----
From: Full-Disclosure [<a class="moz-txt-link-freetext" 
href="mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx";>mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx</a>]
 On Behalf Of MustLive
Sent: Monday, May 6, 2013 4:45 PM
To: <a class="moz-txt-link-abbreviated" 
href="mailto:submissions@xxxxxxxxxxxxxxxxxxxxxxx";>submissions@xxxxxxxxxxxxxxxxxxxxxxx</a>;
 <a class="moz-txt-link-abbreviated" 
href="mailto:full-disclosure@xxxxxxxxxxxxxxxxx";>full-disclosure@xxxxxxxxxxxxxxxxx</a>;
 1337 Exploit DataBase
Subject: [Full-disclosure] Vulnerabilities in VideoJS

Hello list!

I want to inform you about vulnerabilities in VideoJS. This is popular video 
and audio player, which is used at hundreds thousands of web sites and in 
multiple web applications.

This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole 
related to this player, which I've found at 27.01.2013 at vine.co, which was 
using VideoJS Flash Component v3.0 (<a class="moz-txt-link-freetext" 
href="http://vine.co/v/b5HpgZT3ZwL";>http://vine.co/v/b5HpgZT3ZwL</a>).
Which concerned with Flash Player, Adobe fixed it already at 12th of February.

More information is in my advisory for DoS vulnerability in Adobe Flash Player 
(<a class="moz-txt-link-freetext" 
href="http://seclists.org/fulldisclosure/2013/Apr/9";>http://seclists.org/fulldisclosure/2013/Apr/9</a>).
 Here is my video demonstration of BSOD in Adobe Flash in Mozilla Firefox with 
using VideoJS (<a class="moz-txt-link-freetext" 
href="http://www.youtube.com/watch?v=xi29KZ3LD80";>http://www.youtube.com/watch?v=xi29KZ3LD80</a>).

-------------------------
Affected products:
-------------------------

Vulnerable are versions before VideoJS Flash Component 3.0.2 and VideoJS 4.0. 
Versions VideoJS Flash Component 3.0.2 and VideoJS 4.0 are not vulnerable to 
mentioned XSS hole, except XSS via JS callbacks (as it can be read in 
repository on github). Also there are bypass methods which work in the last 
version, but the developers haven't fixed them due to their low impact. This 
week developers are planning to officially release VideoJS 4.0 (but swf-file 
with fixed XSS hole is already available at video.js and video-js-swf 
repositories on github).

Updated version of VideoJS.swf is available in the next repositories:

<a class="moz-txt-link-freetext" 
href="https://github.com/videojs/video-js-swf";>https://github.com/videojs/video-js-swf</a>
<a class="moz-txt-link-freetext" 
href="https://github.com/MustLive/video-js-swf";>https://github.com/MustLive/video-js-swf</a>

-------------------------
Affected vendors:
-------------------------

Earlier Zencoder, now Brightcove
<a class="moz-txt-link-freetext" 
href="http://videojs.com";>http://videojs.com</a>

----------
Details:
----------

Cross-Site Scripting (WASC-08):

<a class="moz-txt-link-freetext" 
href="http://site/video-js.swf?readyFunction=alert(document.cookie)">http://site/video-js.swf?readyFunction=alert(document.cookie)</a>

But the fix in VideoJS Flash Component 3.0.2 is not protecting from the next
attacks:

<a class="moz-txt-link-freetext" 
href="http://site/video-js.swf?readyFunction=alert";>http://site/video-js.swf?readyFunction=alert</a>

<a class="moz-txt-link-freetext" 
href="http://site/video-js.swf?readyFunction=prompt";>http://site/video-js.swf?readyFunction=prompt</a>

<a class="moz-txt-link-freetext" 
href="http://site/video-js.swf?readyFunction=confirm";>http://site/video-js.swf?readyFunction=confirm</a>

Which are small ones and the developers don't worry about them, so after I've 
drawn their attention last week on incomplete fix, they still released such 
fix. But they will think about improving their protection in the future 
versions.

------------
Timeline:
------------ 

2013.01.27 - found DoS (BSOD) vulnerability.
2013.01.28 - recorded video PoC. And in the night have informed Adobe.
2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They 
thanked and promised to fix it.
2013.02.12 - Adobe fixed DoS vulnerability.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the 
fix.
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to 
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the 
hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And made 
my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in 
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding) and 
uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the 
hole completely and informed them.

Best wishes &amp; regards,
MustLive
Administrator of Websecurity web site
<a class="moz-txt-link-freetext" 
href="http://websecurity.com.ua";>http://websecurity.com.ua</a> 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Vulnerabilities in VideoJS
  - From: MustLive
- Re: [Full-disclosure] Vulnerabilities in VideoJS
  - From: Ron Yount

Prev by Date: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software
Next by Date: [Full-disclosure] Vulnerabilities in multiple web applications with VideoJS
Previous by thread: Re: [Full-disclosure] Vulnerabilities in VideoJS
Next by thread: [Full-disclosure] Ruxcon 2013 Call For Papers
Index(es):
- Date
- Thread