Ticket #1585 (closed bug: fixed)
Address cross-site scripting vulnerabilities
| Reported by: | pablo | Owned by: | pablo |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | flash | Keywords: | |
| Cc: | Forum thread: |
Description
From Phil:
There are multiple XSS vulnerabilities in the JW Player:
The first two instances were previously known and "fixed" with a custom ActionScript function "cleanLink":
public static function cleanLink(arg0:String) : String
{
return arg0.replace(new RegExp("^(javascript|asfunction|vbscript)\\:"), "");
}
This function does not adequately protect against XSS because it will only remove the first instance of the text "javascript:" from a URL. A URL like "javascript:javascript:alert(1)" will be "cleaned" to "javascript:alert(1)".
The other three instances of cross-site scripting vulnerabilities do not appear to be publicly known at this time.
- JW Player "link" parameter: Load the URL and click anywhere in the window.
- JW Player "logo.link" parameter in licensed versions of JW Player: Load the URL and click on the logo in the top-left
- JW Player "aboutlink" parameter: Load the URL and right-click on the flash application. Choose "getXSSed!" from the menu
Change History
comment:1 Changed 15 months ago by pablo
- Status changed from new to closed
- Resolution set to fixed
- Milestone changed from Player 5.10 to Player 5.9 Patch 1
comment:2 Changed 14 months ago by pablo
- Milestone changed from Player 5.9 Patch 1 to Player 5.9
Milestone Player 5.9 Patch 1 deleted
comment:3 Changed 12 months ago by pablo
- Milestone changed from Player 5.9 to Player 5.10
Added an additional check for casing (i.e. "JavaScript:" instead of "javascript:") in [2159]
comment:4 Changed 12 months ago by pablo
- Status changed from closed to reopened
- Resolution fixed deleted
If debug parameter is set to a javascript function, the player will execute it.
comment:5 Changed 12 months ago by pablo
If something like javajavascript:script: appears, the replacement only occurs once. Reported by Ali Pezeshk of Microsoft and Microsoft Vulnerability Research (MSVR)
comment:6 Changed 12 months ago by pablo
- Status changed from reopened to closed
- Resolution set to fixed
Resolved in [2206]
comment:7 Changed 11 months ago by pablo
Reported by Soroush Dalili (@irsdl, SecProject.com):
Firefox has a vulnerability where a request with the "feed:" prefix will execute any javascript contained within.
Fixed in [2274]
comment:8 Changed 11 months ago by pablo
Also pointed out by Soroush Dalili:
New fix can also be bypassed by: http://developer.longtailvideo.com/trac/testing?file=feefeed:d:javascript:alert%281%29;//@irsdl.mp4&autostart=true
Fixed in [2292]
comment:9 Changed 9 months ago by pablo
- Status changed from closed to reopened
- Resolution fixed deleted
- Milestone changed from Player 5.10 to Player 5.11
In the commercial player, it's possible to use logo.link with base64-encoded HTML to inject javascript (Firefox only):
http://site/jwplayer.swf?file=1.flv&logo.file=1.jpg&logo.link=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
The aboutlink parameter also suffers from this vulnerability.
Fixed in [2393]
comment:10 Changed 9 months ago by pablo
- Status changed from reopened to closed
- Resolution set to fixed
comment:11 Changed 5 months ago by pablo
- Milestone Player 5.11 deleted
Milestone Player 5.11 deleted
![the URL](http://c.longtailvideo.com/player.swf?#&logo.link=javascript:javascript:alert("xss")&logo.file=http://s0-www.ltvimg.com/v3_5_2/images/logo_header.png&logo.hide=false&logo.position=top-left&logo.linktarget=_self){kind=link}
Fixed in [2146]