mailing list archives
Vulnerabilities in jPlayer
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 21 Apr 2013 23:42:36 +0300
I want to inform you about multiple vulnerabilities in jPlayer. These are
Cross-Site Scripting and Content Spoofing and vulnerabilities in jPlayer.
Which is used at tens thousands of web sites and in multiple web
Vulnerable are versions before jPlayer 2.2.23. Version 2.2.23 and the last
released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS
and XSS via JS callbacks. Also there are other bypass methods which work in
version 2.3.0, but the developers haven't fixed them besides attack via
alert. About that I've wrote to developers already in March and reminded
again. So wait for new version with fixing of these vulnerabilities.
Cross-Site Scripting (WASC-08):
In different versions of jPlayer there are different XSS vulnerabilities.
0.2.1 - 1.2.0:
In version 2.2.0 these XSS vulnerabilities were fixed (the developers was
informed about hole in jQuery parameter and made a fix, which protected from
both attacks). But Malte Batram (in version 2.2.19) and I (in version
2.2.20) have found new ones.
2.2.0 - 2.2.19 (and previous versions):
Attack works in Firefox (all versions and browsers on Gecko engine), IE6 and
2.2.20 - 2.2.22 (and previous versions):
Content Spoofing (WASC-12):
It's possible to conduct CS (inclusion of audio/video files from external
resources) via JS and XSS via JS callbacks. This requires HTML Injection
vulnerability at the site. The attack is similar to XSS attacks via
callbacks in JW Player (http://securityvulns.ru/docs28176.html).
Because this attack vector requires separate vulnerability at target site to
conduct CS and XSS attacks with using of jPlayer, the developers didn't do
anything to fix it. The same as developers JW Player. So protection from
this attack scenario lies solely on web sites owners.
2013.01.31 - found vulnerabilities in jPlayer at multiple web sites (in
2013.03.14 - announced at my site.
2013.03.19 - informed developers.
2013.03.19-30 - discussed with developers different vulnerabilities in
different versions of jPlayer and at their sites.
2013.03.21 - developers was informed by Malte Batram's about XSS hole in
2013.03.21 - developers fixed Malte's XSS hole in 2.2.20 in github
2013.03.22 - informed developers about new hole, which works in 2.2.20.
2013.03.23 - sent details of new XSS and warned about possibility for other
XSS attacks and gave recommendations about proper fixing of XSS to prevent
any future XSS.
2013.03.30 - reminded developers about last hole.
2013.04.12 - developers fixed my XSS hole in 2.2.23 in github.
2013.04.20 - developers released jPlayer 2.3.0
(http://www.jplayer.org/2.3.0/release-notes/) and informed me.
2013.04.20 - disclosed at my site about jPlayer
2013.04.21 - tested version 2.3.0 and found that developers fixed only one
attack vector and didn't make complete fix, as I recommended in March, so I
reminded them and sent them examples of two new XSS.
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Vulnerabilities in jPlayer MustLive (Apr 21)